Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
History

Thu, 17 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770

Wed, 16 Oct 2024 21:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1333

Wed, 16 Oct 2024 20:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
Title rubygem-actionpack: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller Action Controller has possible ReDoS vulnerability in HTTP Token authentication
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}


Wed, 16 Oct 2024 13:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title rubygem-actionpack: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller
Weaknesses CWE-1337
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-16T20:02:34.722Z

Updated: 2024-10-17T16:36:00.367Z

Reserved: 2024-10-04T16:00:09.631Z

Link: CVE-2024-47887

cve-icon Vulnrichment

Updated: 2024-10-17T16:35:53.058Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-16T20:15:06.600

Modified: 2024-10-18T12:53:04.627

Link: CVE-2024-47887

cve-icon Redhat

Severity : Low

Publid Date: 2024-10-15T23:35:35Z

Links: CVE-2024-47887 - Bugzilla