From b3c89fdcbfd95ae3dad41e54afde75bde6a7ff8a Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Wed, 11 Dec 2024 08:12:35 -0500
Subject: [PATCH] GHSA SYNC: 1 brand new advisory

---
 gems/actionpack/CVE-2024-54133.yml | 45 ++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 gems/actionpack/CVE-2024-54133.yml

diff --git a/gems/actionpack/CVE-2024-54133.yml b/gems/actionpack/CVE-2024-54133.yml
new file mode 100644
index 0000000000..ae099e10b7
--- /dev/null
+++ b/gems/actionpack/CVE-2024-54133.yml
@@ -0,0 +1,45 @@
+---
+gem: actionpack
+framework: rails
+cve: 2024-54133
+ghsa: vfm5-rmrh-j26v
+url: https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
+title: Possible Content Security Policy bypass in Action Dispatch
+date: 2024-12-10
+description: |
+  There is a possible Cross Site Scripting (XSS) vulnerability
+  in the `content_security_policy` helper in Action Pack.
+
+  ## Impact
+
+  Applications which set Content-Security-Policy (CSP) headers
+  dynamically from untrusted user input may be vulnerable to
+  carefully crafted inputs being able to inject new directives
+  into the CSP. This could lead to a bypass of the CSP and its
+  protection against XSS and other attacks.
+
+  ## Releases
+
+  The fixed releases are available at the normal locations.
+
+  ## Workarounds
+
+  Applications can avoid setting CSP headers dynamically from
+  untrusted input, or can validate/sanitize that input.
+
+  ## Credits
+
+  Thanks to [ryotak](https://hackerone.com/ryotak) for the report!
+cvss_v4: 2.3
+unaffected_versions:
+  - "< 5.2.0"
+patched_versions:
+  - "~> 7.0.8.7"
+  - "~> 7.1.5.1"
+  - "~> 7.2.2.1"
+  - ">= 8.0.0.1"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-54133
+    - https://github.com/rails/rails/security/advisories/GHSA-vfm5-rmrh-j26v
+    - https://github.com/advisories/GHSA-vfm5-rmrh-j26v