CVE-2024-47887

EPSS 0.49%
Published 16.10.2024 20:15:06
Last modified 18.10.2024 12:53:04
Source security-advisories@github.com
Teams watchlist Login
Open Login

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Affected products Warnungen 0 Metrics 2 CWE 1 References 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Vendorrubyonrails

≫

Product rails

Default Statusunknown

Version < 6.1.7.9

Version 4.0.0

Status affected

Version < 7.0.8.5

Version 7.0.0

Status affected

Version < 7.1.4.1

Version 7.1.0

Status affected

Version < 7.2.1.1

Version 7.2.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.49%	0.645

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	6.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

https://nvd.nist.gov/vuln/detail/CVE-2024-47887

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47887

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47887

EUVD