CVE-2024-26142

EPSS 2.08%
Veröffentlicht 27.02.2024 16:15:46
Zuletzt bearbeitet 14.02.2025 16:22:23
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 8

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rubyonrails ≫ Rails Version >= 7.1.0 < 7.1.3.1

Ruby-lang ≫ Ruby Version < 3.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	2.08%	0.834

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

Vendor Advisory

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

Patch

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

Vendor Advisory

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240503-0003/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26142

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26142

EUVD