ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:11821 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 on GA media These are all security issues fixed in the ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-11821 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:11821 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2019-16782/ SUSE CVE CVE-2019-16782 page https://www.suse.com/security/cve/CVE-2019-5418/ SUSE CVE CVE-2019-5418 page https://www.suse.com/security/cve/CVE-2020-8164/ SUSE CVE CVE-2020-8164 page https://www.suse.com/security/cve/CVE-2020-8166/ SUSE CVE CVE-2020-8166 page https://www.suse.com/security/cve/CVE-2020-8185/ SUSE CVE CVE-2020-8185 page https://www.suse.com/security/cve/CVE-2020-8264/ SUSE CVE CVE-2020-8264 page https://www.suse.com/security/cve/CVE-2021-22881/ SUSE CVE CVE-2021-22881 page https://www.suse.com/security/cve/CVE-2021-22885/ SUSE CVE CVE-2021-22885 page https://www.suse.com/security/cve/CVE-2021-22902/ SUSE CVE CVE-2021-22902 page https://www.suse.com/security/cve/CVE-2021-22904/ SUSE CVE CVE-2021-22904 page https://www.suse.com/security/cve/CVE-2021-22942/ SUSE CVE CVE-2021-22942 page https://www.suse.com/security/cve/CVE-2021-44528/ SUSE CVE CVE-2021-44528 page openSUSE Tumbleweed ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 as a component of openSUSE Tumbleweed There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. CVE-2019-16782 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-16782.html CVE-2019-16782 https://bugzilla.suse.com/1159548 SUSE Bug 1159548 https://bugzilla.suse.com/1183174 SUSE Bug 1183174 There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed. CVE-2019-5418 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2019-5418.html CVE-2019-5418 https://bugzilla.suse.com/1129272 SUSE Bug 1129272 A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters. CVE-2020-8164 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8164.html CVE-2020-8164 https://bugzilla.suse.com/1172177 SUSE Bug 1172177 A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. CVE-2020-8166 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 low To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8166.html CVE-2020-8166 https://bugzilla.suse.com/1172182 SUSE Bug 1172182 A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. CVE-2020-8185 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8185.html CVE-2020-8185 https://bugzilla.suse.com/1173564 SUSE Bug 1173564 In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to send or embed (in another page) a specially crafted URL which can allow the attacker to execute JavaScript in the context of the local application. This vulnerability is in the Actionable Exceptions middleware. CVE-2020-8264 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2020-8264.html CVE-2020-8264 https://bugzilla.suse.com/1177521 SUSE Bug 1177521 The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted `Host` headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. Impacted applications will have allowed hosts with a leading dot. When an allowed host contains a leading dot, a specially crafted `Host` header can be used to redirect to a malicious website. CVE-2021-22881 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22881.html CVE-2021-22881 https://bugzilla.suse.com/1182160 SUSE Bug 1182160 https://bugzilla.suse.com/1185772 SUSE Bug 1185772 https://bugzilla.suse.com/1189627 SUSE Bug 1189627 https://bugzilla.suse.com/1193764 SUSE Bug 1193764 A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or `polymorphic_url`helper with untrusted user input. CVE-2021-22885 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22885.html CVE-2021-22885 https://bugzilla.suse.com/1185715 SUSE Bug 1185715 The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. CVE-2021-22902 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22902.html CVE-2021-22902 https://bugzilla.suse.com/1185771 SUSE Bug 1185771 The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. CVE-2021-22904 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22904.html CVE-2021-22904 https://bugzilla.suse.com/1185780 SUSE Bug 1185780 A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect users to a malicious website. CVE-2021-22942 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-22942.html CVE-2021-22942 https://bugzilla.suse.com/1189627 SUSE Bug 1189627 https://bugzilla.suse.com/1193764 SUSE Bug 1193764 A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in combination with certain "allowed host" formats can cause the Host Authorization middleware in Action Pack to redirect users to a malicious website. CVE-2021-44528 openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-6.0-6.0.4.4-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2021-44528.html CVE-2021-44528 https://bugzilla.suse.com/1193764 SUSE Bug 1193764