CVE-2024-54133

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-54133
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54133.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-54133
Aliases
Downstream
Related
Published
2024-12-10T22:52:04.633Z
Modified
2025-11-28T02:34:43.665648Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Possible Content Security Policy bypass in Action Dispatch
Details

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54133.json",
    "cwe_ids": [
        "CWE-79"
    ]
}
References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
375a4143cf5caeb6159b338be824903edfd62836
Fixed
778eab826538be6da355d848aecaea2245e3b8ce
Database specific 
{
    "versions": [
        {
            "introduced": "5.2.0"
        },
        {
            "fixed": "7.0.8.7"
        }
    ]
}
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
14c115b120ed089331ff3dc13f36bd9129ced33d
Database specific 
{
    "versions": [
        {
            "introduced": "7.1.0"
        },
        {
            "fixed": "7.1.5.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
33beb0a38db1c058123a8e3cc298cad918adfe32
Database specific 
{
    "versions": [
        {
            "introduced": "7.2.0"
        },
        {
            "fixed": "7.2.2.1"
        }
    ]
}
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
dd8f7185faeca6ee968a6e9367f6d8601a83b8db
Fixed
a993c27a50395e727872600b5669976ff0a272e7
Database specific 
{
    "versions": [
        {
            "introduced": "8.0.0"
        },
        {
            "fixed": "8.0.0.1"
        }
    ]
}