GHSA SYNC: 1 brand new advisory

Author: jasnow

gems/actionpack/CVE-2024-54133.yml

@@ -0,0 +1,45 @@
+---
+gem: actionpack
+framework: rails
+cve: 2024-54133
+ghsa: vfm5-rmrh-j26v
+url: https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
+title: Possible Content Security Policy bypass in Action Dispatch
+date: 2024-12-10
+description: |
+  There is a possible Cross Site Scripting (XSS) vulnerability
+  in the `content_security_policy` helper in Action Pack.
+
+  ## Impact
+
+  Applications which set Content-Security-Policy (CSP) headers
+  dynamically from untrusted user input may be vulnerable to
+  carefully crafted inputs being able to inject new directives
+  into the CSP. This could lead to a bypass of the CSP and its
+  protection against XSS and other attacks.
+
+  ## Releases
+
+  The fixed releases are available at the normal locations.
+
+  ## Workarounds
+
+  Applications can avoid setting CSP headers dynamically from
+  untrusted input, or can validate/sanitize that input.
+
+  ## Credits
+
+  Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
+cvss_v4: 2.3
+unaffected_versions:
+  - "< 5.2.0"
+patched_versions:
+  - "~> 7.0.8.7"
+  - "~> 7.1.5.1"
+  - "~> 7.2.2.1"
+  - ">= 8.0.0.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-54133
+    - https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
+    - https://github.com/advisories/GHSA-vfm5-rmrh-j26v