CVE-2024-28103

2024-06-0420:15:10

Debian Security Bug Tracker

security-tracker.debian.org

action pack

web requests

html

content-type

permissions-policy

vulnerability

fixed

unix

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

5.3 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.9%

JSON

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.

OSVersionArchitecturePackageVersionFilename
Debian12allrails<= 2:6.1.7.3+dfsg-1rails_2:6.1.7.3+dfsg-1_all.deb
Debian11allrails< 2:6.0.3.7+dfsg-2+deb11u2rails_2:6.0.3.7+dfsg-2+deb11u2_all.deb
Debian10allrails< 2:5.2.2.1+dfsg-1+deb10u3rails_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian999allrails<= 2:6.1.7.3+dfsg-3rails_2:6.1.7.3+dfsg-3_all.deb
Debian13allrails<= 2:6.1.7.3+dfsg-3rails_2:6.1.7.3+dfsg-3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	rails	<= 2:6.1.7.3+dfsg-1	rails_2:6.1.7.3+dfsg-1_all.deb
Debian	11	all	rails	< 2:6.0.3.7+dfsg-2+deb11u2	rails_2:6.0.3.7+dfsg-2+deb11u2_all.deb
Debian	10	all	rails	< 2:5.2.2.1+dfsg-1+deb10u3	rails_2:5.2.2.1+dfsg-1+deb10u3_all.deb
Debian	999	all	rails	<= 2:6.1.7.3+dfsg-3	rails_2:6.1.7.3+dfsg-3_all.deb
Debian	13	all	rails	<= 2:6.1.7.3+dfsg-3	rails_2:6.1.7.3+dfsg-3_all.deb