CVE-2024-28103 vulnerability in actionpack 7.1.3.2 #316
Comments
|
No need to update it. The gem must be compatible with the base version, that does not mean that you cannot use the latest one in your project. |
|
Our vulnerability scanner picks up the actionpack version that is required for this gem and flags it as a vulnerability. Even if I use a later version of actionpack for other parts of my project, I still have in my gemfile lock a "vulnerable" actionpack because of data-migrate. I saw that you just submitted a PR. Perhaps it will resolve it. Thank you for looking into the issue. |
|
So is not necessary to update the rails version in our gemfiles, but to |
|
If the |
|
I think it works. PR |
|
At the end of the day I will create a new release with this. |
|
Can I close this? I think it is repaired with 11.0.0.rc3 |
The current version of actionpack (7.1.3.2) in the Gemfile.lock is vulnerable to CVE-2024-28103. Unfortunately, this is classed as a critical vulnerability by NIST. How can I help to upgrade the current actionpack to 7.1.3.4 ?
The text was updated successfully, but these errors were encountered: