OESA-2024-2465

Source
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2024-2465
Import Source
https://repo.openeuler.org/security/data/osv/OESA-2024-2465.json
JSON Data
https://api.test.osv.dev/v1/vulns/OESA-2024-2465
Upstream
Published
2024-11-22T14:23:17Z
Modified
2025-08-12T05:38:42.261630Z
Summary
rubygem-actionpack security update
Details

Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn't require a browser.

Security Fix(es):

A Cross-site Scripting (XSS) vulnerability was found in Actionpack due to improper sanitization of user-supplied values. This allows provided values to contain characters that are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned location header.(CVE-2023-28362)

Database specific
{
    "severity": "Low"
}
References

Affected packages

openEuler:22.03-LTS-SP1 / rubygem-actionpack

Package

Name
rubygem-actionpack
Purl
pkg:rpm/openEuler/rubygem-actionpack&distro=openEuler-22.03-LTS-SP1

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.1.4.1-7.oe2203sp1

Ecosystem specific

{
    "noarch": [
        "rubygem-actionpack-6.1.4.1-7.oe2203sp1.noarch.rpm",
        "rubygem-actionpack-doc-6.1.4.1-7.oe2203sp1.noarch.rpm"
    ],
    "src": [
        "rubygem-actionpack-6.1.4.1-7.oe2203sp1.src.rpm"
    ]
}