CVE-2024-47887

EPSS 0.27%
Veröffentlicht 16.10.2024 20:15:06
Zuletzt bearbeitet 15.04.2026 00:35:42
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Action Controller has possible ReDoS vulnerability in HTTP Token authentication

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)

Herstellerrubyonrails

≫

Produkt rails

Default Statusunknown

Version 4.0.0

Version < 6.1.7.9

Status affected

Version 7.0.0

Version < 7.0.8.5

Status affected

Version 7.1.0

Version < 7.1.4.1

Status affected

Version 7.2.0

Version < 7.2.1.1

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.506

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.6	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-1333 Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049

https://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a

https://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545

https://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2

https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

https://nvd.nist.gov/vuln/detail/CVE-2024-47887

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-47887

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-47887

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-47887