CVE-2024-26142

2024-02-2716:15:46

Google

osv.dev

rails web-application framework

accept header parsing

action dispatch

redos vulnerability

ruby 3.2

software .

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

15.7%

JSON

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

CPENameOperatorVersion
railseq2.3.2
railseq3.0.0.beta1
railseq7.1.0
railseq6.0.0.beta3
railseq1.1.0
railseq2.3.0
railseq4.0.0.rc1
railseq5.0.0.rc1
railseq0.13.1
railseq2.3.1