CVE-2023-22792
09.02.2023, 20:15
A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.Enginsight
| Vendor | Product | Version |
|---|---|---|
| rubyonrails | rails | 3.0.0 ≤ 𝑥 < 6.0.6.1 |
| rubyonrails | rails | 6.1.0 ≤ 𝑥 < 6.1.7.1 |
| rubyonrails | rails | 7.0.0 ≤ 𝑥 < 7.0.4.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| rails |
| ||||||||||||||||||||
| rails-4.0 |
| ||||||||||||||||||||
| ruby-actionpack-3.2 |
| ||||||||||||||||||||
| ruby-activemodel-3.2 |
| ||||||||||||||||||||
| ruby-activerecord-3.2 |
| ||||||||||||||||||||
| ruby-activesupport-3.2 |
| ||||||||||||||||||||
| ruby-rails-3.2 |
|
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-1333 - Inefficient Regular Expression ComplexityThe product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
References