{"url":"http://public2.vulnerablecode.io/api/packages/355396?format=json","purl":"pkg:gem/rails@7.0.2.4","type":"gem","namespace":"","name":"rails","version":"7.0.2.4","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.0.8.1","latest_non_vulnerable_version":"7.1.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15397?format=json","vulnerability_id":"VCID-5bh7-drnb-7ygg","summary":"Rails has possible XSS Vulnerability in Action Controller\n# Possible XSS Vulnerability in Action Controller\n\nThere is a possible XSS vulnerability when using the translation helpers\n(`translate`, `t`, etc) in Action Controller. This vulnerability has been\nassigned the CVE identifier CVE-2024-26143.\n\nVersions Affected:  >= 7.0.0.\nNot affected:       < 7.0.0\nFixed Versions:     7.1.3.1, 7.0.8.1\n\nImpact\n------\nApplications using translation methods like `translate`, or `t` on a\ncontroller, with a key ending in \"_html\", a `:default` key which contains\nuntrusted user input, and the resulting string is used in a view, may be\nsusceptible to an XSS vulnerability.\n\nFor example, impacted code will look something like this:\n\n```ruby\nclass ArticlesController < ApplicationController\n  def show  \n    @message = t(\"message_html\", default: untrusted_input)\n    # The `show` template displays the contents of `@message`\n  end\nend\n```\n\nTo reiterate the pre-conditions, applications must:\n\n* Use a translation function from a controller (i.e. _not_ I18n.t, or `t` from\n  a view)\n* Use a key that ends in `_html`\n* Use a default value where the default value is untrusted and unescaped input\n* Send the text to the victim (whether that's part of a template, or a\n  `render` call)\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n*  7-0-translate-xss.patch - Patch for 7.0 series\n*  7-1-translate-xss.patch - Patch for 7.1 series\n\nCredits\n-------\n\nThanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the patch and fix!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json","reference_id":"","reference_type":"","scores":[{"value":"4.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26143.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26143","reference_id":"","reference_type":"","scores":[{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83998","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83993","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83985","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83959","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83957","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83933","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83937","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83944","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83921","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83898","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83896","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.8388","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02067","scoring_system":"epss","scoring_elements":"0.83927","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26143"},{"reference_url":"https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/"}],"url":"https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/"}],"url":"https://github.com/rails/rails/commit/4c83b331092a79d58e4adffe4be5f250fa5782cc"},{"reference_url":"https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/"}],"url":"https://github.com/rails/rails/commit/5187a9ef51980ad1b8e81945ebe0462d28f84f9e"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-9822-6m93-xqf4"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26143.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26143","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26143"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0004","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240510-0004"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266388","reference_id":"2266388","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266388"},{"reference_url":"https://github.com/advisories/GHSA-9822-6m93-xqf4","reference_id":"GHSA-9822-6m93-xqf4","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9822-6m93-xqf4"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0004/","reference_id":"ntap-20240510-0004","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-29T18:24:49Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240510-0004/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54403?format=json","purl":"pkg:gem/rails@7.0.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/54405?format=json","purl":"pkg:gem/rails@7.1.3.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.1.3.1"}],"aliases":["CVE-2024-26143","GHSA-9822-6m93-xqf4"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bh7-drnb-7ygg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16106?format=json","vulnerability_id":"VCID-63gy-6njy-kbd8","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792","reference_id":"","reference_type":"","scores":[{"value":"0.02264","scoring_system":"epss","scoring_elements":"0.84652","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02264","scoring_system":"epss","scoring_elements":"0.8469","published_at":"2026-04-29T12:55:00Z"},{"value":"0.02264","scoring_system":"epss","scoring_elements":"0.8468","published_at":"2026-04-24T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.8567","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85734","published_at":"2026-04-18T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85729","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85707","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85711","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85715","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85701","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85689","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85663","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02639","scoring_system":"epss","scoring_elements":"0.85646","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800","reference_id":"2164800","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792","reference_id":"CVE-2023-22792","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792"},{"reference_url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj","reference_id":"GHSA-p84v-45xj-wwqj","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007/","reference_id":"ntap-20240202-0007","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55813?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22792","GHSA-p84v-45xj-wwqj","GMS-2023-58"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-63gy-6njy-kbd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/15665?format=json","vulnerability_id":"VCID-65tq-e5eb-eucj","summary":"Rails has possible Sensitive Session Information Leak in Active Storage\n# Possible Sensitive Session Information Leak in Active Storage\n\nThere is a possible sensitive session information leak in Active Storage.  By\ndefault, Active Storage sends a `Set-Cookie` header along with the user's\nsession cookie when serving blobs.  It also sets `Cache-Control` to public.\nCertain proxies may cache the Set-Cookie, leading to an information leak.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-26144.\n\nVersions Affected:  >= 5.2.0, < 7.1.0\nNot affected:       < 5.2.0, > 7.1.0\nFixed Versions:     7.0.8.1, 6.1.7.7\n\nImpact\n------\nA proxy which chooses to caches this request can cause users to share\nsessions. This may include a user receiving an attacker's session or vice\nversa.\n\nThis was patched in 7.1.0 but not previously identified as a security\nvulnerability.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUpgrade to Rails 7.1.X, or configure caching proxies not to cache the\nSet-Cookie headers.\n\nCredits\n-------\n\nThanks to [tyage](https://hackerone.com/tyage) for reporting this!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26144","reference_id":"","reference_type":"","scores":[{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86851","published_at":"2026-04-29T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86845","published_at":"2026-04-24T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86828","published_at":"2026-04-21T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86829","published_at":"2026-04-18T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86825","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86809","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86814","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86818","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86759","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86796","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86776","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86778","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03103","scoring_system":"epss","scoring_elements":"0.86804","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26144"},{"reference_url":"https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433"},{"reference_url":"https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26144","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26144"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0013","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240510-0013"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119","reference_id":"1065119","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266063","reference_id":"2266063","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266063"},{"reference_url":"https://github.com/advisories/GHSA-8h22-8cf7-hq6g","reference_id":"GHSA-8h22-8cf7-hq6g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8h22-8cf7-hq6g"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0013/","reference_id":"ntap-20240510-0013","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240510-0013/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10806","reference_id":"RHSA-2024:10806","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10806"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/54403?format=json","purl":"pkg:gem/rails@7.0.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.8.1"}],"aliases":["CVE-2024-26144","GHSA-8h22-8cf7-hq6g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-65tq-e5eb-eucj"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16102?format=json","vulnerability_id":"VCID-6tty-dbwx-rbgx","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22797.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22797.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22797","reference_id":"","reference_type":"","scores":[{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.332","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33605","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33638","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33476","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3352","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33554","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33548","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33506","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33482","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33518","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.33494","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3346","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.333","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00137","scoring_system":"epss","scoring_elements":"0.3328","published_at":"2026-04-26T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22797"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:07:07Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22797.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22797.yml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164793","reference_id":"2164793","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164793"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22797","reference_id":"CVE-2023-22797","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22797"},{"reference_url":"https://github.com/advisories/GHSA-9445-4cr6-336r","reference_id":"GHSA-9445-4cr6-336r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9445-4cr6-336r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55813?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22797","GHSA-9445-4cr6-336r","GMS-2023-57"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6tty-dbwx-rbgx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16390?format=json","vulnerability_id":"VCID-hppf-a715-r7b2","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795","reference_id":"","reference_type":"","scores":[{"value":"0.01304","scoring_system":"epss","scoring_elements":"0.79834","published_at":"2026-04-29T12:55:00Z"},{"value":"0.01304","scoring_system":"epss","scoring_elements":"0.79819","published_at":"2026-04-26T12:55:00Z"},{"value":"0.01304","scoring_system":"epss","scoring_elements":"0.79812","published_at":"2026-04-24T12:55:00Z"},{"value":"0.01304","scoring_system":"epss","scoring_elements":"0.79782","published_at":"2026-04-21T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.8121","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81234","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81262","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81267","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81288","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81274","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81266","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81303","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01523","scoring_system":"epss","scoring_elements":"0.81305","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"},{"reference_url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"},{"reference_url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.7.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.7.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799","reference_id":"2164799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795","reference_id":"CVE-2023-22795","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795"},{"reference_url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv","reference_id":"GHSA-8xww-x3g3-6jcv","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55813?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-5bh7-drnb-7ygg"},{"vulnerability":"VCID-65tq-e5eb-eucj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22795","GHSA-8xww-x3g3-6jcv","GMS-2023-56"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-hppf-a715-r7b2"}],"fixing_vulnerabilities":[],"risk_score":"3.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.2.4"}