Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Metrics
Affected Vendors & Products
References
History
Thu, 17 Oct 2024 17:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Rubyonrails
Rubyonrails rails |
|
CPEs | cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:* | |
Vendors & Products |
Rubyonrails
Rubyonrails rails |
|
Metrics |
ssvc
|
Wed, 16 Oct 2024 21:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-770 |
Wed, 16 Oct 2024 21:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Weaknesses | CWE-1333 |
Wed, 16 Oct 2024 20:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. |
Title | rubygem-actionpack: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller | Action Controller has possible ReDoS vulnerability in HTTP Token authentication |
Weaknesses | CWE-770 | |
References |
|
|
Metrics |
cvssV4_0
|
Wed, 16 Oct 2024 13:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | No description is available for this CVE. | |
Title | rubygem-actionpack: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller | |
Weaknesses | CWE-1337 | |
References |
| |
Metrics |
threat_severity
|
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published: 2024-10-16T20:02:34.722Z
Updated: 2024-10-17T16:36:00.367Z
Reserved: 2024-10-04T16:00:09.631Z
Link: CVE-2024-47887
Vulnrichment
Updated: 2024-10-17T16:35:53.058Z
NVD
Status : Awaiting Analysis
Published: 2024-10-16T20:15:06.600
Modified: 2024-10-18T12:53:04.627
Link: CVE-2024-47887
Redhat