actionpack is vulnerable to Regular Expression Denial of Service(ReDoS). The vulnerability exists due to inefficient regular expression complexity which allows an attacker to crash the application by submitting a malicious cookie, in combination with a specially crafted X_FORWARDED_HOST
header.
discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
github.com/advisories/GHSA-p84v-45xj-wwqj
github.com/rails/rails/commit/90e8a9089b700649317a0761dc8a02a3873d9947
github.com/rails/rails/commit/cd46b0e46962013fbf93d5b1f12b2f22e57d49eb
github.com/rails/rails/releases/tag/v6.1.7.1
github.com/rails/rails/releases/tag/v7.0.4.1
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml
www.debian.org/security/2023/dsa-5372