CVE-2024-28103

NameCVE-2024-28103
DescriptionAction Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1072705

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
rails (PTS)bullseye (security), bullseye2:6.0.3.7+dfsg-2+deb11u2fixed
bookworm2:6.1.7.3+dfsg-2~deb12u1vulnerable
sid, trixie2:6.1.7.3+dfsg-4vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
railssourcebuster(not affected)
railssourcebullseye(not affected)
railssource(unstable)(unfixed)1072705

Notes

[bookworm] - rails <no-dsa> (Minor issue)
[bullseye] - rails <not-affected> (Vulnerable code introduced later)
[buster] - rails <not-affected> (Vulnerable code introduced later)
https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523 (main)
https://github.com/rails/rails/commit/b329b261dd32a61316f2831788d6078ca0563ab6 (v6.1.7.8)

Search for package or bug name: Reporting problems