VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-p22r-u1dd-b7b3

Essentials
Severities (27)
References (12)
Severity details (18)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-p22r-u1dd-b7b3
Aliases	CVE-2024-28103 GHSA-fwhr-88qx-h9g7
Summary	Missing security headers in Action Pack on non-HTML responses # Permissions-Policy is Only Served on HTML Content-Type The application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This has been assigned the CVE identifier CVE-2024-28103. Versions Affected: >= 6.1.0 Not affected: < 6.1.0 Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4 Impact ------ Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- N/A Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the supported release series in accordance with our [maintenance policy](https://guides.rubyonrails.org/maintenance_policy.html#security-issues) regarding security issues. They are in git-am format and consist of a single changeset. * 6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series * 7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series * 7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series Credits ------- Thank you [shinkbr](https://hackerone.com/shinkbr) for reporting this!
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-20	Improper Input Validation
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.4	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
epss	0.00832	https://api.first.org/data/v1/epss?cve=CVE-2024-28103
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-fwhr-88qx-h9g7
cvssv3.1	5.4	https://github.com/rails/rails
generic_textual	MODERATE	https://github.com/rails/rails
cvssv3.1	5.4	https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
generic_textual	MODERATE	https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
ssvc	Track	https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
cvssv3	5.4	https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
cvssv3.1	5.4	https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
cvssv3.1_qr	MODERATE	https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
generic_textual	MODERATE	https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
ssvc	Track	https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
cvssv3.1	5.4	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
generic_textual	MODERATE	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
cvssv3.1	5.4	https://nvd.nist.gov/vuln/detail/CVE-2024-28103
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2024-28103
cvssv3.1	5.4	https://security.netapp.com/advisory/ntap-20241206-0002
generic_textual	MODERATE	https://security.netapp.com/advisory/ntap-20241206-0002

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-28103
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rails/rails
		https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523
		https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml
		https://nvd.nist.gov/vuln/detail/CVE-2024-28103
		https://security.netapp.com/advisory/ntap-20241206-0002
1072705		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1072705
2290530		https://bugzilla.redhat.com/show_bug.cgi?id=2290530
GHSA-fwhr-88qx-h9g7		https://github.com/advisories/GHSA-fwhr-88qx-h9g7

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-28103.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/rails/rails

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/ Found at https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-20T16:17:47Z/ Found at https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-28103

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N Found at https://security.netapp.com/advisory/ntap-20241206-0002

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.74532
EPSS Score	0.00832
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:35.036991+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-fwhr-88qx-h9g7/GHSA-fwhr-88qx-h9g7.json	38.0.0