CVE-2024-47888

Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
GitHub_MCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 39%
Debian logo
Debian Releases
Debian Product
Codename
rails
bullseye (security)
vulnerable
bullseye
vulnerable
bookworm
2:6.1.7.10+dfsg-1~deb12u1
fixed
bookworm (security)
2:6.1.7.10+dfsg-1~deb12u1
fixed
sid
2:7.2.2.1+dfsg-7
fixed
trixie
2:7.2.2.1+dfsg-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
rails
plucky
needs-triage
oracular
needs-triage
noble
needs-triage
jammy
Fixed 2:6.1.4.1+dfsg-8ubuntu2+esm1
released
focal
Fixed 2:5.2.3+dfsg-3ubuntu0.1~esm1
released
bionic
Fixed 2:4.2.10-0ubuntu4+esm1
released
xenial
Fixed 2:4.2.6-1ubuntu0.1~esm1
released
Common Weakness Enumeration
References
https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw