CVE-2022-22577
XSS vulnerability in actionpack (RubyGems)
What is CVE-2022-22577 About?
This vulnerability is a cross-site scripting (XSS) flaw in Rails / Action Pack, where CSP headers were not always sent for API responses. This omission exposes users to potential XSS attacks. The ease of exploitation depends on the presence of other injectable points within the API responses.
Affected Software
- actionpack
- >=5.2.0, <5.2.7.1
- >=7.0.0, <7.0.2.4
- >=6.0.0, <6.0.4.8
- >=6.1.0, <6.1.5.1
Technical Details
The XSS vulnerability arises because Rails / Action Pack failed to consistently send Content Security Policy (CSP) headers with all responses, specifically those considered non-'HTML' responses, such as API endpoints. CSP is a crucial security mechanism that helps mitigate XSS attacks by restricting sources of content. Without these headers, an attacker who can inject malicious scripts into an API response (e.g., through user-supplied data that is reflected unsafely) can execute arbitrary code in the user's browser, bypassing standard browser Same-Origin Policy restrictions.
What is the Impact of CVE-2022-22577?
Successful exploitation may allow attackers to execute arbitrary scripts in the user's browser, hijack user sessions, deface web content, or redirect users to malicious sites, leading to data theft and compromised user experience.
What is the Exploitability of CVE-2022-22577?
Exploitation primarily requires the ability to inject malicious content into a web page or API response that lacks proper CSP headers. This can be complex depending on the application's input sanitization. No specific authentication is required to inject content if public endpoints are vulnerable, but often, some form of interaction with the application by the victim is needed to trigger the XSS. This is a remote attack. The absence of CSP headers significantly lowers the bar for successful XSS exploitation, making XSS attacks more likely if other injection vulnerabilities exist.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-22577?
Available Upgrade Options
- actionpack
- >=5.2.0, <5.2.7.1 → Upgrade to 5.2.7.1
- actionpack
- >=6.0.0, <6.0.4.8 → Upgrade to 6.0.4.8
- actionpack
- >=6.1.0, <6.1.5.1 → Upgrade to 6.1.5.1
- actionpack
- >=7.0.0, <7.0.2.4 → Upgrade to 7.0.2.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html
- https://www.debian.org/security/2023/dsa-5372
- https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
- https://www.debian.org/security/2023/dsa-5372
- https://discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
- https://github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
- https://github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
- https://github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
What are Similar Vulnerabilities to CVE-2022-22577?
Similar Vulnerabilities: CVE-2021-22928 , CVE-2020-8164 , CVE-2019-5418 , CVE-2018-16474 , CVE-2017-0917
