Miggo Logo

CVE-2022-22577: Cross-site Scripting Vulnerability in Action Pack

6.1

CVSS Score
3.1

Basic Information

EPSS Score
0.44045%
Published
4/27/2022
Updated
4/13/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
actionpackrubygems>= 5.2.0, <= 5.2.7.05.2.7.1
actionpackrubygems>= 6.0.0, <= 6.0.4.76.0.4.8
actionpackrubygems>= 6.1.0, <= 6.1.5.06.1.5.1
actionpackrubygems>= 7.0.0, <= 7.0.2.37.0.2.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from Rails only applying CSP headers to HTML responses. The commit diff shows the removal of the html_response? guard clause in the Content Security Policy middleware. This function's presence in vulnerable versions explicitly skipped CSP header generation for non-HTML responses, which is the core of the vulnerability. The removal of this check in patched versions confirms its role in the issue.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * possi*l* XSS vuln*r**ility in R*ils / **tion P**k. T*is vuln*r**ility **s ***n *ssi*n** t** *V* i**nti*i*r *V*-****-*****. V*rsions *****t**: >= *.*.* Not *****t**: < *.*.* *ix** V*rsions: *.*.*.*, *.*.*.*, *.*.*.*, *.*.*.* ##

Reasoning

T** vuln*r**ility st*mm** *rom R*ils only *pplyin* *SP *****rs to *TML r*spons*s. T** *ommit *i** s*ows t** r*mov*l o* t** `*tml_r*spons*?` *u*r* *l*us* in t** *ont*nt S**urity Poli*y mi**l*w*r*. T*is *un*tion's pr*s*n** in vuln*r**l* v*rsions *xpli*