CVE-2024-54133

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-54133
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54133.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-54133
Aliases
Downstream
Related
Published
2024-12-10T22:52:04.633Z
Modified
2026-04-09T12:01:21.857361Z
Severity
  • 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Possible Content Security Policy bypass in Action Dispatch
Details

Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the content_security_policy helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/54xxx/CVE-2024-54133.json"
}
References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
2e3f41e4538b9ca1044357f6644f037bbb7c6c49
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3da2479cfe1e00177114b17e496213c40d286b3a
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
5558e72f22fc69c1c407b31ac5fb3b4ce087b542
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
cb16a3bb515b5d769f73926d9757270ace691f1d

Affected versions

v0.*
v0.10.0
v0.10.1
v0.11.0
v0.11.1
v0.12.0
v0.13.0
v0.13.1
v0.14.1
v0.14.3
v0.9.1
v0.9.2
v0.9.3
v0.9.4
v0.9.4.1
v0.9.5
v1.*
v1.1.0
v1.1.0_RC1
v1.1.1
v2.*
v2.0.0
v2.0.0_PR
v2.0.0_RC1
v2.0.0_RC2
v2.0.1
v3.*
v3.0.0.beta.3
v3.0.0.beta3
v3.1.0.beta1
v3.1.0.rc1
v3.2.0.rc1
v4.*
v4.0.0.beta1
v4.0.0.rc1
v4.2.0.beta1
v5.*
v5.0.0.beta1
v5.0.0.beta2
v5.0.0.beta4
v5.1.0.beta1
v6.*
v6.0.0.beta1
v6.0.0.beta2
v6.1.0.rc1
v7.*
v7.0.0
v7.0.0.alpha1
v7.0.0.alpha2
v7.0.0.rc1
v7.0.1
v7.0.2
v7.0.3
v7.0.4
v7.0.5
v7.0.6
v7.0.7
v7.0.8
v7.0.8.1
v7.0.8.2
v7.0.8.3
v7.0.8.4
v7.0.8.5
v7.0.8.6
v7.1.0
v7.1.0.beta1
v7.1.0.rc1
v7.1.0.rc2
v7.1.1
v7.1.2
v7.1.3
v7.1.4
v7.1.5
v7.2.0.beta1
v7.2.0.beta2
v7.2.0.beta3
v7.2.0.rc1
v7.2.1
v7.2.2
v8.*
v8.0.0
v8.0.0.beta1
v8.0.0.rc1
v8.0.0.rc2

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-54133.json"