RubySecRUBY:ACTIONPACK-2024-26142Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%
There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.
Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1
Impact
Carefully crafted Accept headers can cause Accept header parsing in
Action Dispatch to take an unexpected amount of time, possibly resulting in a
DoS vulnerability. All users running an affected release should either upgrade
or use one of the workarounds immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using
Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
| CPE | Name | Operator | Version |
|---|---|---|---|
| actionpack | lt | 7.1.0 | |
| actionpack | lt | 7.1.3.1 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7 High
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
15.7%