847970 – (CVE-2022-22577) <dev-ruby/actionpack-{5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4}: CSP bypass for non-HTML responses

Bug 847970 (CVE-2022-22577) - <dev-ruby/actionpack-{5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4}: CSP bypass for non-HTML responses

Summary: <dev-ruby/actionpack-{5.2.7.1,6.0.4.8,6.1.5.1,7.0.2.4}: CSP bypass for non-HT...

Status:	RESOLVED FIXED

Alias:	CVE-2022-22577

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:	https://discuss.rubyonrails.org/t/cve...
Whiteboard:	B4 [noglsa]
Keywords:

Depends on:	848051
Blocks:
	Show dependency tree

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-05-28 21:46:53 UTC

CVE-2022-22577:

An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.

Comment 1 John Helmert III archtester

2022-05-30 22:31:24 UTC

Please cleanup

Comment 2 Hans de Graaff gentoo-dev

2022-07-25 08:34:47 UTC

Cleanup done.

Comment 3 John Helmert III archtester

2022-07-25 19:19:41 UTC

Thanks! All done.