7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
42.7%
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and
<7.0.4.1. A specially crafted string passed to the underscore method can
cause the regular expression engine to enter a state of catastrophic
backtracking. This can cause the process to use large amounts of CPU and
memory, leading to a possible DoS vulnerability.
Author | Note |
---|---|
seth-arnold | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward |
discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
github.com/rails/rails/commit/4b383e6936d7a72b5dc839f526c9a9aeb280acae (6-1-stable)
launchpad.net/bugs/cve/CVE-2023-22796
nvd.nist.gov/vuln/detail/CVE-2023-22796
security-tracker.debian.org/tracker/CVE-2023-22796
www.cve.org/CVERecord?id=CVE-2023-22796