प्लेटफ़ॉर्म
ruby
घटक
actionpack
में ठीक किया गया
5.2.1
7.1.1
7.2.1
8.0.1
7.0.8.7
CVE-2024-54133 describes a Cross-Site Scripting (XSS) vulnerability within the contentsecuritypolicy helper in Ruby on Rails Action Pack. This vulnerability arises when applications dynamically set Content-Security-Policy (CSP) headers using untrusted user input. Exploitation could lead to a bypass of the CSP, potentially enabling XSS and other attacks. Affected versions include those prior to 7.0.8.7, with a fix available in version 7.0.8.7.
The core impact of CVE-2024-54133 lies in the potential circumvention of Content Security Policy (CSP). CSP is a critical security mechanism designed to mitigate XSS attacks by controlling the sources from which a browser can load resources. If an attacker can inject arbitrary directives into the CSP header, they effectively disable these protections. This could allow them to execute malicious scripts within the context of the vulnerable application, potentially leading to data theft, session hijacking, or defacement. The blast radius extends to any user interacting with the application, particularly those providing input that influences the CSP header generation.
CVE-2024-54133 has a CVSS score of 2.5 (LOW). As of the publication date (2024-12-10), there are no publicly known Proof-of-Concept (POC) exploits. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog or has an EPSS score. Active exploitation campaigns are not currently reported, but the potential for exploitation remains due to the ease of injecting directives into the CSP header.
एक्सप्लॉइट स्थिति
EPSS
0.12% (31% शतमक)
CISA SSVC
The primary mitigation for CVE-2024-54133 is to upgrade to Ruby on Rails Action Pack version 7.0.8.7 or later. If upgrading is not immediately feasible, a workaround involves avoiding the dynamic generation of CSP headers from untrusted user input. This can be achieved by hardcoding CSP directives or using a trusted, validated source for the input. Consider implementing input validation and sanitization to prevent malicious directives from being included in the CSP header. While a WAF might offer some protection, it is not a substitute for patching the underlying vulnerability. After upgrading, confirm the fix by attempting to inject CSP directives via user input and verifying that the CSP remains intact.
Rails के संस्करण 7.0.8.7, 7.1.5.1, 7.2.2.1, या 8.0.0.1 या उच्चतर में अपडेट करें। वैकल्पिक रूप से, अविश्वसनीय इनपुट से गतिशील रूप से CSP हेडर सेट करने से बचें या CSP हेडर को कॉन्फ़िगर करने के लिए उपयोग करने से पहले उस इनपुट को मान्य/सफाई करें।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-54133 is a Cross-Site Scripting (XSS) vulnerability in Ruby on Rails Action Pack, affecting versions up to 7.0.8.6. It allows attackers to inject directives into CSP headers via untrusted input, potentially bypassing security protections.
You are affected if your Ruby on Rails application uses Action Pack version 7.0.8.6 or earlier and dynamically generates CSP headers from untrusted user input. Check your version with rails -v.
Upgrade to Ruby on Rails Action Pack version 7.0.8.7 or later. As a temporary workaround, avoid dynamically generating CSP headers from untrusted user input.
As of December 2024, there are no publicly known active exploitation campaigns for CVE-2024-54133, but the potential for exploitation exists.
Refer to the official Ruby on Rails security advisory for CVE-2024-54133: [https://github.com/rails/rails/security/advisories/GHSA-xxxx-xxxx-xxxx](https://github.com/rails/rails/security/advisories/GHSA-xxxx-xxxx-xxxx) (replace with actual advisory URL).
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Gemfile.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।