actionpack (RubyGems) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the RubyGems package actionpack, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (63)
CVE-2022-23634 — CVSS 8.0 (high): Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response…
CVE-2016-0751 — CVSS 7.5 (high): actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x…
CVE-2020-8164 — CVSS 7.5 (high): A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply…
CVE-2024-26142 — CVSS 7.5 (high): Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing…
CVE-2023-22795 — CVSS 7.5 (high): A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially…
CVE-2023-22792 — CVSS 7.5 (high): A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination…
CVE-2013-0156 — CVSS 7.5 (high): active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before…
CVE-2021-22904 — CVSS 7.5 (high): The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token…
CVE-2021-22902 — CVSS 7.5 (high): The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible…
CVE-2021-22885 — CVSS 7.5 (high): A possible information disclosure / unintended method execution vulnerability in Action Pack >= 2.0.0 when using the `redirect_to` or…
CVE-2011-0449 — CVSS 7.5 (high): actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.4, when a case-insensitive filesystem is used, does not…
CVE-2015-7581 — CVSS 7.5 (high): actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows…
CVE-2022-23633 — CVSS 7.4 (high): Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In…
CVE-2016-2098 — CVSS 7.3 (high): Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary…
CVE-2008-7248 — CVSS 6.8 (medium): Ruby on Rails 2.1 before 2.1.3 and 2.2.x before 2.2.2 does not verify tokens for requests with certain content types, which allows remote…
CVE-2011-0447 — CVSS 6.8 (medium): Ruby on Rails 2.1.x, 2.2.x, and 2.3.x before 2.3.11, and 3.x before 3.0.4, does not properly validate HTTP requests that contain an…
CVE-2024-47887: Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5…
CVE-2024-41128: Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5…
CVE-2020-8185 — CVSS 6.5 (medium): A denial of service vulnerability exists in Rails <6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app…
CVE-2013-6417 — CVSS 6.4 (medium): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences…
CVE-2012-2660 — CVSS 6.4 (medium): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly…
CVE-2021-44528 — CVSS 6.1 (medium): A open redirect vulnerability exists in Action Pack >= 6.0.0 that could allow an attacker to craft a "X-Forwarded-Host" headers in…
CVE-2021-22881 — CVSS 6.1 (medium): The Host Authorization middleware in Action Pack before 6.1.2.1, 6.0.3.5 suffers from an open redirect vulnerability. Specially crafted…
CVE-2022-22577 — CVSS 6.1 (medium): An XSS Vulnerability in Action Pack >= 5.2.0 and < 5.2.0 that could allow an attacker to bypass CSP for non HTML like responses.
CVE-2011-1497 — CVSS 6.1 (medium): A cross-site scripting vulnerability flaw was found in the auto_link function in Rails before version 3.0.6.
CVE-2020-8264 — CVSS 6.1 (medium): In actionpack gem >= 6.0.0, a possible XSS vulnerability exists when an application is running in development mode allowing an attacker to…
CVE-2021-22942 — CVSS 6.1 (medium): A possible open redirect vulnerability in the Host Authorization middleware in Action Pack >= 6.0.0 that could allow attackers to redirect…
CVE-2024-26143 — CVSS 6.1 (medium): Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller…
CVE-2021-22903 — CVSS 6.1 (medium): The actionpack ruby gem before 6.1.3.2 suffers from a possible open redirect vulnerability. Specially crafted Host headers in combination…
CVE-2023-22797 — CVSS 6.1 (medium): An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with…
CVE-2024-28103 — CVSS 5.4 (medium): Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is…
CVE-2016-2097 — CVSS 5.3 (medium): Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.2 and 4.x before 4.1.14.2 allows remote attackers to read…
CVE-2014-7829 — CVSS 5.0 (medium): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.21…
CVE-2009-3086 — CVSS 5.0 (medium): A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest…
CVE-2011-2929 — CVSS 5.0 (medium): The template selection functionality in actionpack/lib/action_view/template/resolver.rb in Ruby on Rails 3.0.x before 3.0.10 and 3.1.x…
CVE-2012-3424 — CVSS 5.0 (medium): The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x…
CVE-2013-6414 — CVSS 5.0 (medium): actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers…
CVE-2014-0082 — CVSS 5.0 (medium): actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during…
CVE-2020-8166 — CVSS 4.3 (medium): A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token…
CVE-2011-2931 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the strip_tags helper in actionpack/lib/action_controller/vendor/html-scanner/html/node.rb in…
CVE-2011-2197 — CVSS 4.3 (medium): The cross-site scripting (XSS) prevention feature in Ruby on Rails 2.x before 2.3.12, 3.0.x before 3.0.8, and 3.1.x before 3.1.0.rc2 does…
CVE-2011-0446 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in the mail_to helper in Ruby on Rails before 2.3.11, and 3.x before 3.0.4, when…
CVE-2009-3009 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in Ruby on Rails 2.x before 2.2.3, and 2.3.x before 2.3.4, allows remote attackers to inject…
CVE-2014-7818 — CVSS 4.3 (medium): Directory traversal vulnerability in actionpack/lib/action_dispatch/middleware/static.rb in Action Pack in Ruby on Rails 3.x before 3.2.20…
CVE-2014-0081 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17…
CVE-2013-6416 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the simple_format helper in actionpack/lib/action_view/helpers/text_helper.rb in Ruby on Rails…
CVE-2013-6415 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the number_to_currency helper in actionpack/lib/action_view/helpers/number_helper.rb in Ruby on…
CVE-2013-4491 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component…
CVE-2013-1857 — CVSS 4.3 (medium): The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before…
CVE-2013-1855 — CVSS 4.3 (medium): The sanitize_css method in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before…
CVE-2012-3465 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/sanitize_helper.rb in the strip_tags helper in Ruby on Rails…
CVE-2012-3463 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_tag_helper.rb in Ruby on Rails 3.x before 3.0.17, 3.1.x…
CVE-2012-2694 — CVSS 4.3 (medium): actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly…
CVE-2012-1099 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/form_options_helper.rb in the select helper in Ruby on Rails…
CVE-2011-4319 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in the i18n translations helper method in Ruby on Rails 3.0.x before 3.0.11 and 3.1.x before…
CVE-2011-3187 — CVSS 4.3 (medium): The to_s method in actionpack/lib/action_dispatch/middleware/remote_ip.rb in Ruby on Rails 3.0.5 does not validate the X-Forwarded-For…
CVE-2011-3186 — CVSS 4.3 (medium): CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers…
CVE-2023-28362 — CVSS 4.0 (medium): The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in…
CVE-2015-7576 — CVSS 3.7 (low): The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication…
CVE-2024-54133: Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability in the…
CVE-2026-33167: Action Pack is a Rubygem for building web applications on the Rails framework. In versions on the 8.1 branch prior to 8.1.2.1, the debug…