Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ruby-advisory-db false positive for actionpack 7.1.4 #52710

Closed
radar opened this issue Aug 26, 2024 · 3 comments
Closed

ruby-advisory-db false positive for actionpack 7.1.4 #52710

radar opened this issue Aug 26, 2024 · 3 comments

Comments

@radar
Copy link
Contributor

radar commented Aug 26, 2024
edited
Loading

Ruby advisory DB is incorrect reporting that actionpack 7.1.4 doesn't contain the patch for CVE-2024-28103 aka GHSA-fwhr-88qx-h9g7.

I think the security page for that issue needs amending so that the automated scripts for ruby-advisory-db pick it up. I'm not 100% on how all of this works or is connected. I am not certain if the page needs updating, or if ruby-advisory-db needs changes, but I'm erring on the side of the page needing updating as ruby-advisory-db seems mostly automated and collects its data from this page.

Reproduction steps

Create a Gemfile with:

source 'https://rubygems.org'

gem 'actionpack', '7.1.4'
gem 'bundler-audit'

Then, run bundle install
Then, run bundle audit check --update

What happens

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:	918 advisories
  last updated:	2024-08-24 11:36:02 -0700
  commit:	33907c16654555cb6089d8a41c6bd20ce8da2698
Name: actionpack
Version: 7.1.4
CVE: CVE-2024-28103
GHSA: GHSA-fwhr-88qx-h9g7
Criticality: Medium
URL: https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
Title: Missing security headers in Action Pack on non-HTML responses
Solution: update to '~> 6.1.7.8', '~> 7.0.8.4', '~> 7.1.3.4', '>= 7.2.0.beta2'

Vulnerabilities found!

What I expect to happen

No vulnerabilities reported.
@eileencodes
Copy link
Member

I think the security page for that issue needs amending so that the automated scripts for ruby-advisory-db pick it up

Amended to what though? I checked a bunch of others and they're all the same setup for what versions are vulnerable and what versions are fixed.

@rafaelfranca rafaelfranca mentioned this issue Aug 26, 2024
Closed
@rafaelfranca
Copy link
Member

Thanks. Rails has very little control over those databases. If they are reporting something wrong, it is usually an error in the database.

I opened a PR to fix it rubysec/ruby-advisory-db#807.

@rafaelfranca rafaelfranca closed this as not planned Won't fix, can't repro, duplicate, stale Aug 26, 2024
@radar
Copy link
Contributor Author

radar commented Aug 28, 2024

Thank you @rafaelfranca!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Update CVE-2024-28103.yml rafaelfranca/ruby-advisory-db
3 participants
@radar @rafaelfranca @eileencodes