VYPR

rpm package

opensuse/rubygem-actionpack-6.0&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/rubygem-actionpack-6.0&distro=openSUSE%20Tumbleweed

Vulnerabilities (13)

  • CVE-2022-23633Feb 11, 2022
    affected < 6.0.4.6-1.1fixed 6.0.4.6-1.1

    Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next reques

  • CVE-2021-44528Jan 7, 2022
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website.

  • CVE-2021-22942Oct 18, 2021
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website.

  • CVE-2021-22904Jun 11, 2021
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token`

  • CVE-2021-22902Jun 11, 2021
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser i

  • CVE-2021-22885May 27, 2021
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input.

  • CVE-2021-22881Feb 11, 2021
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users t

  • CVE-2020-8264Jan 6, 2021
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local applic

  • CVE-2020-8166MedJul 2, 2020
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.

  • CVE-2020-8185Jul 2, 2020
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production.

  • CVE-2020-8164Jun 19, 2020
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.

  • CVE-2019-16782Dec 18, 2019
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually store

  • CVE-2019-5418KEVMar 27, 2019
    affected < 6.0.4.4-1.1fixed 6.0.4.4-1.1

    There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.