Denial of service in Action Pack



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2024-47887
CWE-ID CWE-1333
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		actionpack
Web applications / Modules and components for CMS

Vendor Ruby

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Inefficient regular expression complexity

EUVDB-ID: #VU99671

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-47887

CWE-ID: CWE-1333 - Inefficient Regular Expression Complexity

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing untrusted input with a regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

actionpack: 4.0.0 - 7.2.1

CPE2.3 External links

http://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4
http://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049
http://github.com/rails/rails/commit/7c1398854d51f9bb193fb79f226647351133d08a
http://github.com/rails/rails/commit/8e057db25bff1dc7a98e9ae72e0083825b9ac545
http://github.com/rails/rails/commit/f4dc83d8926509d0958ec21fcdbc2e7df3d32ce2


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###