Updated advisory posts against rubysec/ruby-advisory-db@b88d29d

jasnow · RubySec CI · commit 07fb42778c34 · 2024-12-11T18:18:54.000Z
diff --git a/advisories/_posts/2024-12-10-CVE-2024-54133.md b/advisories/_posts/2024-12-10-CVE-2024-54133.md
@@ -0,0 +1,54 @@
+---
+layout: advisory
+title: 'CVE-2024-54133 (actionpack): Possible Content Security Policy bypass in Action
+  Dispatch'
+comments: false
+categories:
+- actionpack
+- rails
+advisory:
+  gem: actionpack
+  framework: rails
+  cve: 2024-54133
+  ghsa: vfm5-rmrh-j26v
+  url: https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
+  title: Possible Content Security Policy bypass in Action Dispatch
+  date: 2024-12-10
+  description: |
+    There is a possible Cross Site Scripting (XSS) vulnerability
+    in the `content_security_policy` helper in Action Pack.
+
+    ## Impact
+
+    Applications which set Content-Security-Policy (CSP) headers
+    dynamically from untrusted user input may be vulnerable to
+    carefully crafted inputs being able to inject new directives
+    into the CSP. This could lead to a bypass of the CSP and its
+    protection against XSS and other attacks.
+
+    ## Releases
+
+    The fixed releases are available at the normal locations.
+
+    ## Workarounds
+
+    Applications can avoid setting CSP headers dynamically from
+    untrusted input, or can validate/sanitize that input.
+
+    ## Credits
+
+    Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
+  cvss_v4: 2.3
+  unaffected_versions:
+  - "< 5.2.0"
+  patched_versions:
+  - "~> 7.0.8.7"
+  - "~> 7.1.5.1"
+  - "~> 7.2.2.1"
+  - ">= 8.0.0.1"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-54133
+    - https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
+    - https://github.com/advisories/GHSA-vfm5-rmrh-j26v
+---
