CVE-2024-26142

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
rubyonrailsrails
7.1.0 ≤
𝑥
< 7.1.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rails
bullseye (security)
2:6.0.3.7+dfsg-2+deb11u2
fixed
bullseye
2:6.0.3.7+dfsg-2+deb11u2
fixed
bookworm
2:6.1.7.10+dfsg-1~deb12u1
fixed
bookworm (security)
2:6.1.7.10+dfsg-1~deb12u1
fixed
sid
2:7.2.2.1+dfsg-7
fixed
trixie
2:7.2.2.1+dfsg-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rails
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
mantic
ignored
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
ignored
rails-4.0
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-actionpack-3.2
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-activemodel-3.2
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-activerecord-3.2
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-activesupport-3.2
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
ruby-rails-3.2
plucky
dne
oracular
dne
noble
dne
mantic
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
Common Weakness Enumeration
References
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://security.netapp.com/advisory/ntap-20240503-0003/
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://security.netapp.com/advisory/ntap-20240503-0003/