Moderate severityNVD Advisory· Published Jun 4, 2024· Updated Dec 6, 2024
Action Pack is missing security headers on non-HTML responses
CVE-2024-28103
Description
Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.1.0, < 6.1.7.8 | 6.1.7.8 |
actionpackRubyGems | >= 7.0.0, < 7.0.8.4 | 7.0.8.4 |
actionpackRubyGems | >= 7.1.0, < 7.1.3.4 | 7.1.3.4 |
actionpackRubyGems | >= 7.2.0.beta1, < 7.2.0.beta2 | 7.2.0.beta2 |
Affected products
1Patches
135858f1d9d57include the HTTP Permissions-Policy on non-HTML Content-Types
2 files changed · +2 −9
actionpack/lib/action_dispatch/http/permissions_policy.rb+0 −7 modified@@ -37,7 +37,6 @@ def initialize(app) def call(env) _, headers, _ = response = @app.call(env) - return response unless html_response?(headers) return response if policy_present?(headers) request = ActionDispatch::Request.new(env) @@ -54,12 +53,6 @@ def call(env) end private - def html_response?(headers) - if content_type = headers[Rack::CONTENT_TYPE] - content_type.include?("html") - end - end - def policy_present?(headers) headers[ActionDispatch::Constants::FEATURE_POLICY] end
actionpack/test/dispatch/permissions_policy_test.rb+2 −2 modified@@ -69,12 +69,12 @@ def call(env) assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY] end - test "non-html requests will not set a policy" do + test "non-html requests will set a policy" do @app = build_app(->(env) { [200, { Rack::CONTENT_TYPE => "application/json" }, []] }) get "/index" - assert_nil response.headers[ActionDispatch::Constants::FEATURE_POLICY] + assert_equal "gyroscope 'self'", response.headers[ActionDispatch::Constants::FEATURE_POLICY] end test "existing policies will not be overwritten" do
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-fwhr-88qx-h9g7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28103ghsaADVISORY
- github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523ghsax_refsource_MISCWEB
- github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7ghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-28103.ymlghsaWEB
- security.netapp.com/advisory/ntap-20241206-0002ghsaWEB
News mentions
0No linked articles in our index yet.