VulnerableCode Package Details - pkg:gem/actionpack@7.1.3.4

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-b7z5-h1bw-tya9	Missing security headers in Action Pack on non-HTML responses # Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact ------ Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series * 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series * 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series Credits ------- Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!	CVE-2024-28103 GHSA-fwhr-88qx-h9g7

Vulnerability

Summary

Aliases

VCID-b7z5-h1bw-tya9

Missing security headers in Action Pack on non-HTML responses # Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact ------ Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series * 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series * 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series Credits ------- Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!

CVE-2024-28103
GHSA-fwhr-88qx-h9g7

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-29T14:32:11.120670+00:00	GHSA Importer	Fixing	VCID-b7z5-h1bw-tya9	https://github.com/advisories/GHSA-fwhr-88qx-h9g7	38.6.0
2026-05-29T08:46:09.238972+00:00	GithubOSV Importer	Fixing	VCID-b7z5-h1bw-tya9	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fwhr-88qx-h9g7/GHSA-fwhr-88qx-h9g7.json	38.6.0

2026-05-29T14:32:11.120670+00:00

GHSA Importer

Fixing

VCID-b7z5-h1bw-tya9

https://github.com/advisories/GHSA-fwhr-88qx-h9g7

38.6.0

2026-05-29T08:46:09.238972+00:00

GithubOSV Importer

Fixing

VCID-b7z5-h1bw-tya9

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fwhr-88qx-h9g7/GHSA-fwhr-88qx-h9g7.json

38.6.0