CVE-2024-26142

2024-02-2716:15:46

Debian Security Bug Tracker

security-tracker.debian.org

rails web-application framework

accept header parsing

redos vulnerability

action dispatch

patched

ruby 3.2 mitigations

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

Percentile

15.5%

JSON

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

OSVersionArchitecturePackageVersionFilename
Debian12allrails< 2:6.1.7.3+dfsg-2~deb12u1rails_2:6.1.7.3+dfsg-2~deb12u1_all.deb
Debian11allrails< 2:6.0.3.7+dfsg-2+deb11u2rails_2:6.0.3.7+dfsg-2+deb11u2_all.deb
Debian999allrails< 2:6.1.7.3+dfsg-4rails_2:6.1.7.3+dfsg-4_all.deb
Debian13allrails< 2:6.1.7.3+dfsg-3rails_2:6.1.7.3+dfsg-3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	rails	< 2:6.1.7.3+dfsg-2~deb12u1	rails_2:6.1.7.3+dfsg-2~deb12u1_all.deb
Debian	11	all	rails	< 2:6.0.3.7+dfsg-2+deb11u2	rails_2:6.0.3.7+dfsg-2+deb11u2_all.deb
Debian	999	all	rails	< 2:6.1.7.3+dfsg-4	rails_2:6.1.7.3+dfsg-4_all.deb
Debian	13	all	rails	< 2:6.1.7.3+dfsg-3	rails_2:6.1.7.3+dfsg-3_all.deb