-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-26142.yml
36 lines (28 loc) · 1.15 KB
/
CVE-2024-26142.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
---
gem: actionpack
framework: rails
cve: 2024-26142
ghsa: jjhx-jhvp-74wq
url: https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
title: Possible ReDoS vulnerability in Accept header parsing in Action Dispatch
date: 2024-02-21
description: |
There is a possible ReDoS vulnerability in the Accept header parsing routines
of Action Dispatch. This vulnerability has been assigned the CVE identifier
CVE-2024-26142.
Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1
# Impact
Carefully crafted Accept headers can cause Accept header parsing in
Action Dispatch to take an unexpected amount of time, possibly resulting in a
DoS vulnerability. All users running an affected release should either upgrade
or use one of the workarounds immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications using
Ruby 3.2 or newer are unaffected.
# Releases
The fixed releases are available at the normal locations.
# Workarounds
There are no feasible workarounds for this issue.
unaffected_versions:
- "< 7.1.0"
patched_versions:
- ">= 7.1.3.1"