Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:ACTIONPACK-2021-22904
HistoryMay 04, 2021 - 9:00 p.m.

Possible DoS Vulnerability in Action Controller Token Authentication

2021-05-0421:00:00
RubySec
rubysec.com
8
JSON

There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.

Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or
authenticate_with_http_token for request authentication. Impacted code will
look something like this:

class PostsController &lt; ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around
the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end

Related

veracode 1
osv 4
debiancve 1
redhatcve 1
github 1
ubuntucve 1
prion 1
cve 1
nessus 5
ibm 1
suse 1
openvas 4
debian 2
freebsd 1
redhat 1
veracode
veracode
Denial Of Service (DoS)
2021-05-06 06:23:48
osv
osv
CVE-2021-22904
2021-06-11 16:15:11
Possible DoS Vulnerability in Action Controller Token Authentication
2021-05-05 19:49:12
rails - security update
2021-05-12 00:00:00
debiancve
debiancve
CVE-2021-22904
2021-06-11 16:15:00
redhatcve
redhatcve
CVE-2021-22904
2021-05-19 00:25:31
github
github
Possible DoS Vulnerability in Action Controller Token Authentication
2021-05-05 19:49:12
ubuntucve
ubuntucve
CVE-2021-22904
2021-06-11 00:00:00
prion
prion
Authentication flaw
2021-06-11 16:15:00
cve
cve
CVE-2021-22904
2021-06-11 16:15:00
nessus
nessus
SUSE SLES15 Security Update : rubygem-actionpack-5_1, rubygem-activesupport-5_1 (SUSE-SU-2022:2108-1)
2022-06-17 00:00:00
Debian DLA-2655-1 : rails security update
2021-05-12 00:00:00
Debian DSA-4929-1 : rails - security update
2021-06-11 00:00:00
ibm
ibm
Security Bulletin: A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management
2021-07-26 16:53:38
suse
suse
Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (important)
2022-06-16 00:00:00
openvas
openvas
Debian: Security Advisory (DLA-2655-1)
2021-05-12 00:00:00
openSUSE: Security Advisory for rubygem-actionpack-5_1, (SUSE-SU-2022:2108-1)
2022-06-17 00:00:00
Debian: Security Advisory (DSA-4929-1)
2021-06-11 00:00:00
debian
debian
[SECURITY] [DLA 2655-1] rails security update
2021-05-11 20:52:09
[SECURITY] [DSA 4929-1] rails security update
2021-06-09 21:11:09
freebsd
freebsd
Rails -- multiple vulnerabilities
2021-05-05 00:00:00
redhat
redhat
(RHSA-2021:4702) Moderate: Satellite 6.10 Release
2021-11-16 13:58:57
JSON
Related for RUBY:ACTIONPACK-2021-22904
veracode1osv4debiancve1redhatcve1github1ubuntucve1prion1cve1nessus5ibm1suse1openvas4debian2freebsd1redhat1