6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
76.8%
There is a possible XSS vulnerability in Rails / Action Pack. This vulnerability has been
assigned the CVE identifier CVE-2022-22577.
Versions Affected: >= 5.2.0
Not affected: < 5.2.0
Fixed Versions: 7.0.2.4, 6.1.5.1, 6.0.4.8, 5.2.7.1
CSP headers were only sent along with responses that Rails considered as
“HTML” responses. This left API requests without CSP headers, which could
possibly expose users to XSS attacks.
The FIXED releases are available at the normal locations.
Set a CSP for your API responses manually.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | le | 7.0.2.3 | |
actionpack | le | 6.1.5.0 | |
actionpack | le | 6.0.4.7 | |
actionpack | le | 5.2.7.0 |
discuss.rubyonrails.org/t/cve-2022-22577-possible-xss-vulnerability-in-action-pack/80533
github.com/advisories/GHSA-mm33-5vfq-3mm3
github.com/rails/rails/commit/2b820a2a69fa50cffa74b4aedc57bf92ed6910ec
github.com/rails/rails/commit/5299b57d596ea274f77f5ffee2b79c6ee0255508
github.com/rails/rails/commit/8198d7c4accad0b6ba956b9d59528534a289866b
github.com/rails/rails/commit/d2253115ac2b30f5f7210670af906cebf79cf809
github.com/rails/rails/pull/44635
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-22577.yml
groups.google.com/g/ruby-security-ann/c/NuFRKaN5swI
lists.debian.org/debian-lts-announce/2022/09/msg00002.html
nvd.nist.gov/vuln/detail/CVE-2022-22577
rubyonrails.org/2022/4/26/Rails-7-0-2-4-6-1-5-1-6-0-4-8-and-5-2-7-1-have-been-released
security.netapp.com/advisory/ntap-20221118-0002/
www.debian.org/security/2023/dsa-5372
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
76.8%