CVE-2024-28103 Overview
CVE-2024-28103 is a critical input validation vulnerability affecting Ruby on Rails Action Pack framework. Since version 6.1.0, the application configurable Permissions-Policy HTTP header is only served on responses with an HTML related Content-Type. This means that non-HTML responses (such as JSON, XML, or other content types) do not receive the Permissions-Policy header, potentially allowing attackers to bypass security policies that should be enforced across all response types.
Critical Impact
Applications relying on Permissions-Policy to restrict browser features may be vulnerable to policy bypass attacks on non-HTML endpoints, potentially enabling unauthorized access to sensitive browser APIs and features.
Affected Products
- Ruby on Rails versions 6.1.0 to 6.1.7.7
- Ruby on Rails versions 7.0.0 to 7.0.8.1
- Ruby on Rails versions 7.1.0 to 7.1.3.2
- Ruby on Rails version 7.2.0-beta1
Discovery Timeline
- June 4, 2024 - CVE-2024-28103 published to NVD
- December 6, 2024 - Last updated in NVD database
Technical Details for CVE-2024-28103
Vulnerability Analysis
The vulnerability exists in Action Pack's handling of the Permissions-Policy HTTP response header. The Permissions-Policy header is a security mechanism that allows web applications to control which browser features and APIs can be used in the browser. This includes features like geolocation, camera, microphone, payment APIs, and other sensitive browser capabilities.
The root issue is that Rails incorrectly restricts the application of this security header to only HTML responses. In modern web applications, APIs often return JSON, XML, or other content types that may still be processed by browsers in contexts where the Permissions-Policy should apply. By targeting non-HTML endpoints, attackers may be able to bypass these security restrictions.
Root Cause
The vulnerability stems from improper input validation (CWE-20) in the response handling logic. The Action Pack framework implemented conditional logic that checks the Content-Type of the response before applying the Permissions-Policy header. This design decision failed to account for scenarios where non-HTML responses might still be subject to browser feature restrictions, creating an inconsistent security posture across different endpoint types.
Attack Vector
The attack can be performed over the network without authentication or user interaction. An attacker could exploit this vulnerability by:
- Identifying API endpoints in a Rails application that return non-HTML content types (JSON, XML, etc.)
- Crafting requests to these endpoints that would normally be restricted by the Permissions-Policy
- Leveraging the missing policy header to access browser features that should be blocked
The vulnerability affects applications where the Permissions-Policy is critical to the security model. Since the policy is not applied to non-HTML responses, any application logic that relies on this header for security enforcement on all endpoints is vulnerable to bypass.
Detection Methods for CVE-2024-28103
Indicators of Compromise
- HTTP responses with non-HTML Content-Type headers missing the Permissions-Policy header
- Unexpected browser API access from API endpoints that should be restricted
- Web application logs showing requests to JSON/XML endpoints attempting to access restricted features
- Browser console warnings about feature policy violations being absent where expected
Detection Strategies
- Audit HTTP response headers across all endpoints to verify Permissions-Policy consistency
- Implement automated security testing that validates header presence on non-HTML responses
- Monitor application logs for unusual patterns of API requests that may indicate policy bypass attempts
- Use browser developer tools or security scanners to verify header presence across content types
Monitoring Recommendations
- Enable comprehensive HTTP header logging for all application responses
- Set up alerts for anomalous access patterns to sensitive browser APIs
- Implement regular security scans that check for missing security headers across all endpoints
- Monitor for exploitation attempts targeting API endpoints with sensitive functionality
How to Mitigate CVE-2024-28103
Immediate Actions Required
- Upgrade Ruby on Rails to version 6.1.7.8, 7.0.8.2, or 7.1.3.3 immediately
- Review application security model to identify endpoints relying on Permissions-Policy
- Audit all non-HTML endpoints for proper security header enforcement
- Consider implementing additional security controls at the reverse proxy or WAF level
Patch Information
Ruby on Rails has released patched versions that address this vulnerability. The fix ensures the Permissions-Policy header is served consistently regardless of Content-Type. Administrators should upgrade to the following fixed versions:
- Rails 6.1.x: Upgrade to 6.1.7.8 or later
- Rails 7.0.x: Upgrade to 7.0.8.2 or later
- Rails 7.1.x: Upgrade to 7.1.3.3 or later
The official patch can be reviewed in the GitHub commit. Additional details are available in the GitHub Security Advisory.
Workarounds
- Implement Permissions-Policy headers at the reverse proxy or load balancer level to ensure consistent enforcement
- Add custom middleware to manually inject Permissions-Policy headers for all response types
- Configure web application firewall rules to add missing security headers
- Use Rack middleware to enforce header presence regardless of Content-Type
# Example Nginx configuration to add Permissions-Policy header
# Add to server or location block
add_header Permissions-Policy "geolocation=(), camera=(), microphone=()" always;
# The 'always' directive ensures the header is added regardless of response status
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
