CVE-2024-26142
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rails | rails | >= 7.1.0, < 7.1.3.1 | affected |
Weaknesses
- CWE-1333: CWE-1333: Inefficient Regular Expression Complexity
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
- https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
- https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
- https://security.netapp.com/advisory/ntap-20240503-0003/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
- https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
- https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
- https://security.netapp.com/advisory/ntap-20240503-0003/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.