CVE-2024-28103: Action Pack is missing security headers on non-HTML responses

5.4 CVSS

Description

Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.

Classification

CVE ID: CVE-2024-28103

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

Affected Products

Vendor: rails

Product: rails

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.12% (probability of being exploited)

EPSS Percentile: 46.85% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
https://github.com/rails/rails/commit/35858f1d9d57f6c4050a8d9ab754bd5d088b4523

Timeline

2024-12-07 00:31:08 UTC
CVE

Action Pack is missing security headers on non-HTML responses