CVE-2024-26142

EUVD-2024-0663
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
Affected Products (NVD)
VendorProductVersion
rubyonrailsrails
7.1.0 ≤
𝑥
< 7.1.3.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
rails
bookworm
2:6.1.7.10+dfsg-1~deb12u1
fixed
bookworm (security)
2:6.1.7.10+dfsg-1~deb12u2
fixed
bullseye
2:6.0.3.7+dfsg-2+deb11u2
fixed
bullseye (security)
2:6.0.3.7+dfsg-2+deb11u4
fixed
forky
2:7.2.2.2+dfsg-2
fixed
sid
2:7.2.2.2+dfsg-2
fixed
trixie
2:7.2.2.1+dfsg-7
fixed
trixie (security)
2:7.2.2.2+dfsg-2~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rails
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
mantic
ignored
noble
needs-triage
oracular
ignored
plucky
needs-triage
questing
needs-triage
trusty
ignored
xenial
needs-triage
ruby-rails-3.2
bionic
dne
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
ignored
xenial
dne
ruby-actionpack-3.2
bionic
dne
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
ignored
xenial
dne
ruby-activesupport-3.2
bionic
dne
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
ignored
xenial
dne
ruby-activerecord-3.2
bionic
dne
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
ignored
xenial
dne
ruby-activemodel-3.2
bionic
dne
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
ignored
xenial
dne
rails-4.0
bionic
dne
focal
dne
jammy
dne
mantic
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
ignored
xenial
dne
Common Weakness Enumeration
References
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://security.netapp.com/advisory/ntap-20240503-0003/
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://security.netapp.com/advisory/ntap-20240503-0003/