BIT-rails-2024-54133
Cross Site Scripting vulnerability in actionpack (RubyGems)
What is BIT-rails-2024-54133 About?
This vulnerability is a Cross-Site Scripting (XSS) flaw in Action Pack's `content_security_policy` helper. It allows attackers to inject new directives into CSP headers if policies are dynamically set from untrusted user input, potentially bypassing CSP protections. Exploitation requires carefully crafted input, making it a medium-difficulty attack.
Affected Software
- actionpack
- >=7.1.0, <7.1.5.1
- >=7.2.0, <7.2.2.1
- >=8.0.0, <8.0.0.1
- >=5.2.0, <7.0.8.7
Technical Details
The XSS vulnerability in Action Pack's content_security_policy helper manifests when applications dynamically generate Content-Security-Policy (CSP) headers using untrusted user input. If an application directly embeds user-supplied data into CSP directives without proper sanitization or validation, a malicious actor can craft input that injects new, attacker-controlled directives. For example, by inserting a script-src 'unsafe-inline' directive, the attacker can then execute arbitrary JavaScript, effectively bypassing the very protection mechanism (CSP) intended to prevent XSS. This allows for client-side code execution in the user's browser, enabling various XSS attack scenarios.
What is the Impact of BIT-rails-2024-54133?
Successful exploitation may allow attackers to execute arbitrary client-side scripts, steal sensitive user data, perform actions on behalf of the user, or deface the website, leading to a bypass of CSP protections.
What is the Exploitability of BIT-rails-2024-54133?
Exploitation requires an attacker to provide 'carefully crafted inputs' that are then used to dynamically set Content-Security-Policy (CSP) headers. The complexity is moderate, dependent on the application's input handling and CSP implementation. No specific authentication or privilege is explicitly mentioned, suggesting it could be exploited remotely by an unauthenticated user if the vulnerable input field is publicly accessible. The special condition is that the application must construct CSP headers dynamically from untrusted user input. Risk factors increase significantly if user-generated content directly influences security headers without strict input validation or escaping.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for BIT-rails-2024-54133?
Available Upgrade Options
- actionpack
- >=5.2.0, <7.0.8.7 → Upgrade to 7.0.8.7
- actionpack
- >=7.1.0, <7.1.5.1 → Upgrade to 7.1.5.1
- actionpack
- >=7.2.0, <7.2.2.1 → Upgrade to 7.2.2.1
- actionpack
- >=8.0.0, <8.0.0.1 → Upgrade to 8.0.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
- https://github.com/rails/rails/commit/2e3f41e4538b9ca1044357f6644f037bbb7c6c49
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-54133.yml
- https://security.netapp.com/advisory/ntap-20250306-0010/
- https://github.com/rails/rails/commit/5558e72f22fc69c1c407b31ac5fb3b4ce087b542
- https://github.com/rails/rails/commit/cb16a3bb515b5d769f73926d9757270ace691f1d
- https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
- https://github.com/rails/rails
- https://security.netapp.com/advisory/ntap-20250306-0010
- https://nvd.nist.gov/vuln/detail/CVE-2024-54133
What are Similar Vulnerabilities to BIT-rails-2024-54133?
Similar Vulnerabilities: CVE-2023-38037 , CVE-2023-24836 , CVE-2023-36052 , CVE-2023-42838 , CVE-2022-3869
