Permissions-Policy is Only Served on HTML Content-Type

The application configurable Permissions-Policy is only served on responses
with an HTML related Content-Type.

This has been assigned the CVE identifier CVE-2024-28103.

Versions Affected: >= 6.1.0
Not affected: < 6.1.0
Fixed Versions: 6.1.7.8, 7.0.8.4, and 7.1.3.4

Impact

Responses with a non-HTML Content-Type are not serving the configured Permissions-Policy. There are certain non-HTML Content-Types that would benefit from having the Permissions-Policy enforced.

Releases

The fixed releases are available at the normal locations.

Workarounds

N/A

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the supported release series in accordance with our
maintenance policy
regarding security issues. They are in git-am format and consist of a
single changeset.

6-1-include-permissions-policy-header-on-non-html.patch - Patch for 6.1 series
7-0-include-permissions-policy-header-on-non-html.patch - Patch for 7.0 series
7-1-include-permissions-policy-header-on-non-html.patch - Patch for 7.1 series

Credits

Thank you shinkbr for reporting this!

References

jhawthorn published to rails/rails Jun 4, 2024

Published by the National Vulnerability Database Jun 4, 2024

Published to the GitHub Advisory Database Jun 4, 2024

Reviewed Jun 4, 2024

Last updated Jun 5, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Missing security headers in Action Pack on non-HTML responses

Package

Affected versions

Patched versions

Description

Permissions-Policy is Only Served on HTML Content-Type

Impact

Releases

Workarounds

Patches

Credits

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code

Credits