{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_security_advisory","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 on GA media","title":"Title of the patch"},{"category":"description","text":"These are all security issues fixed in the ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 package on the GA media of openSUSE Tumbleweed.","title":"Description of the patch"},{"category":"details","text":"openSUSE-Tumbleweed-2026-10343","title":"Patchnames"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"SUSE ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"self","summary":"URL of this CSAF notice","url":"https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10343-1.json"},{"category":"self","summary":"SUSE CVE CVE-2024-54133 page","url":"https://www.suse.com/security/cve/CVE-2024-54133/"},{"category":"self","summary":"SUSE CVE CVE-2025-55193 page","url":"https://www.suse.com/security/cve/CVE-2025-55193/"}],"title":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3 on GA media","tracking":{"current_release_date":"2026-03-13T00:00:00Z","generator":{"date":"2026-03-13T00:00:00Z","engine":{"name":"cve-database.git:bin/generate-csaf.pl","version":"1"}},"id":"openSUSE-SU-2026:10343-1","initial_release_date":"2026-03-13T00:00:00Z","revision_history":[{"date":"2026-03-13T00:00:00Z","number":"1","summary":"Current version"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_version","name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","product":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","product_id":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64"}}],"category":"architecture","name":"aarch64"},{"branches":[{"category":"product_version","name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","product":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","product_id":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le"}}],"category":"architecture","name":"ppc64le"},{"branches":[{"category":"product_version","name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","product":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","product_id":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x"}}],"category":"architecture","name":"s390x"},{"branches":[{"category":"product_version","name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64","product":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64","product_id":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"}}],"category":"architecture","name":"x86_64"},{"branches":[{"category":"product_name","name":"openSUSE Tumbleweed","product":{"name":"openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed","product_identification_helper":{"cpe":"cpe:/o:opensuse:tumbleweed"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64"},"product_reference":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le"},"product_reference":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x"},"product_reference":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","relates_to_product_reference":"openSUSE Tumbleweed"},{"category":"default_component_of","full_product_name":{"name":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64 as component of openSUSE Tumbleweed","product_id":"openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"},"product_reference":"ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64","relates_to_product_reference":"openSUSE Tumbleweed"}]},"vulnerabilities":[{"cve":"CVE-2024-54133","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-54133"}],"notes":[{"category":"general","text":"Action Pack is a framework for handling and responding to web requests. There is a possible Cross Site Scripting (XSS) vulnerability  in the `content_security_policy` helper starting in version 5.2.0 of Action Pack and prior to versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1. Applications which set Content-Security-Policy (CSP) headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives into the CSP. This could lead to a bypass of the CSP and its protection against XSS and other attacks. Versions 7.0.8.7, 7.1.5.1, 7.2.2.1, and 8.0.0.1 contain a fix. As a workaround, applications can avoid setting CSP headers dynamically from untrusted input, or can validate/sanitize that input.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"]},"references":[{"category":"external","summary":"CVE-2024-54133","url":"https://www.suse.com/security/cve/CVE-2024-54133"},{"category":"external","summary":"SUSE Bug 1234365 for CVE-2024-54133","url":"https://bugzilla.suse.com/1234365"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"]}],"threats":[{"category":"impact","date":"2026-03-13T00:00:00Z","details":"low"}],"title":"CVE-2024-54133"},{"cve":"CVE-2025-55193","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-55193"}],"notes":[{"category":"general","text":"Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in versions 7.1.5.2, 7.2.2.2, and 8.0.2.1.","title":"CVE description"}],"product_status":{"recommended":["openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"]},"references":[{"category":"external","summary":"CVE-2025-55193","url":"https://www.suse.com/security/cve/CVE-2025-55193"},{"category":"external","summary":"SUSE Bug 1248099 for CVE-2025-55193","url":"https://bugzilla.suse.com/1248099"}],"remediations":[{"category":"vendor_fix","details":"To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n","product_ids":["openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"]}],"scores":[{"cvss_v3":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"},"products":["openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.aarch64","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.ppc64le","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.s390x","openSUSE Tumbleweed:ruby4.0-rubygem-activerecord-8.0-8.0.3-1.3.x86_64"]}],"threats":[{"category":"impact","date":"2026-03-13T00:00:00Z","details":"moderate"}],"title":"CVE-2025-55193"}]}