Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-22577

UNKNOWN
Published 2022-05-26T00:00:00
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-22577. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed MODERATE

Cross-site Scripting Vulnerability in Action Pack

GHSA-mm33-5vfq-3mm3

Advisory Details

There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been assigned the CVE identifier CVE-2022-22577. Versions Affected: >= 5.2.0 Not affected: < 5.2.0 Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1 ## Impact CSP headers were only sent along with responses that Rails considered as "HTML" responses. This left API requests without CSP headers, which could possibly expose users to XSS attacks. ## Releases The FIXED releases are available at the normal locations. ## Workarounds Set a CSP for your API responses manually.

Affected Packages

RubyGems actionpack
ECOSYSTEM: ≥5.2.0 <5.2.7.1
RubyGems actionpack
ECOSYSTEM: ≥6.0.0 <6.0.4.8
RubyGems actionpack
ECOSYSTEM: ≥6.1.0 <6.1.5.1
RubyGems actionpack
ECOSYSTEM: ≥7.0.0 <7.0.2.4

CVSS Scoring

CVSS Score

5.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-22577
WEB https://github.com/rails/rails/pull/44635
WEB https://github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
WEB https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
WEB https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
WEB https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
WEB https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
PACKAGE https://github.com/rails/rails
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
WEB https://groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
WEB https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
WEB https://rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
WEB https://security.netapp.com/advisory/ntap-20221118-0002
WEB https://www.debian.org/security/2023/dsa-5372

Advisory provided by GitHub Security Advisory Database. Published: April 27, 2022, Modified: June 8, 2022

References

https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
https://security.netapp.com/advisory/ntap-20221118-0002/
https://www.debian.org/security/2023/dsa-5372
Published: 2022-05-26T00:00:00
Last Modified: 2024-08-03T03:14:55.738Z
Copied to clipboard!