ruby-advisory-db false positive for actionpack 7.1.4

[radar]

Ruby advisory DB is incorrect reporting that actionpack 7.1.4 doesn't contain the patch for CVE-2024-28103 aka GHSA-fwhr-88qx-h9g7.

I think the security page for that issue needs amending so that the automated scripts for ruby-advisory-db pick it up. I'm not 100% on how all of this works or is connected. I am not certain if the page needs updating, or if ruby-advisory-db needs changes, but I'm erring on the side of the page needing updating as ruby-advisory-db seems mostly automated and collects its data from this page.

---

Reproduction steps

Create a Gemfile with:

source 'https://rubygems.org'

gem 'actionpack', '7.1.4'
gem 'bundler-audit'

Then, run bundle install
Then, run bundle audit check --update

What happens

Updating ruby-advisory-db ...
From https://github.com/rubysec/ruby-advisory-db
 * branch            master     -> FETCH_HEAD
Already up to date.
Updated ruby-advisory-db
ruby-advisory-db:
  advisories:	918 advisories
  last updated:	2024-08-24 11:36:02 -0700
  commit:	33907c16654555cb6089d8a41c6bd20ce8da2698
Name: actionpack
Version: 7.1.4
CVE: CVE-2024-28103
GHSA: GHSA-fwhr-88qx-h9g7
Criticality: Medium
URL: https://github.com/rails/rails/security/advisories/GHSA-fwhr-88qx-h9g7
Title: Missing security headers in Action Pack on non-HTML responses
Solution: update to '~> 6.1.7.8', '~> 7.0.8.4', '~> 7.1.3.4', '>= 7.2.0.beta2'

Vulnerabilities found!

What I expect to happen

No vulnerabilities reported.

[eileencodes]

I think the security page for that issue needs amending so that the automated scripts for ruby-advisory-db pick it up

Amended to what though? I checked a bunch of others and they're all the same setup for what versions are vulnerable and what versions are fixed.

[rafaelfranca]

Thanks. Rails has very little control over those databases. If they are reporting something wrong, it is usually an error in the database.

I opened a PR to fix it rubysec/ruby-advisory-db#807.

[radar]

Thank you @rafaelfranca!