[GHSA-fwhr-88qx-h9g7] Missing security headers in Action Pack on non-HTML responses

[rahg0]

Updates

• Affected products
• Description

Comments
During the time of publishing this CVE, actionpack rubygem 7.1.3.4 version might be the latest one.
But, we have actionpack 7.1.4 version released on August 22, 2024 and i even tested the 7.1.4 version in one my test environment using Dependabot (and other tools) - there were no indication of CVE-2024-28103 on this version.

Reference GH repo: https://github.com/rahg0/ruby-log/blob/main/Gemfile.lock

[github]

Hi there @jhawthorn! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository.

This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory

[rahg0]

Hello,
Do we have any inputs on the above.?

[rahg0]

FYR.. We could see this is now fixed in rubysec as well:
rubysec/ruby-advisory-db#807

[JonathanLEvans]

Hi @rahg0, thank you for your submission. GHSA-fwhr-88qx-h9g7 has the vulnerable version range for the 7.1.x branch set to >= 7.1.0, < 7.1.3.4. Implied in the range is that any version outside of it, such as 7.1.4, is not affected. We do not maintain a list of all unaffected versions in the advisory.

[rahg0]

Understood!. Thanks for the clarification @JonathanLEvans .