CVE-2024-26142

EPSS 2.08%
Published 27.02.2024 16:15:46
Last modified 14.02.2025 16:22:23
Source security-advisories@github.com
Teams watchlist Login
Open Login

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

Affected products Warnungen 0 Metrics 3 CWE 1 References 8

Data is provided by the National Vulnerability Database (NVD)

Rubyonrails ≫ Rails Version >= 7.1.0 < 7.1.3.1

Ruby-lang ≫ Ruby Version < 3.2.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.08%	0.834

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

Vendor Advisory

https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

Patch

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

Vendor Advisory

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

Third Party Advisory

https://security.netapp.com/advisory/ntap-20240503-0003/

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-26142

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26142

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26142

EUVD