CVE-2024-26142

State: PUBLISHED · Published: 2024-02-27 · Updated: 2025-02-13 · Assigner: GitHub_M

Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

CWE

CWE-1333 — CWE-1333: Inefficient Regular Expression Complexity

Affected

rails / rails — v=>= 7.1.0, < 7.1.3.1 [affected]

CVSS

3.1 score=7.5 severity=HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq x_refsource_CONFIRM
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272 x_refsource_MISC
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946 x_refsource_MISC
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml x_refsource_MISC
https://security.netapp.com/advisory/ntap-20240503-0003/

Source

cvelistV5-main/cves/2024/26xxx/CVE-2024-26142.json