CVE-2023-22792

Опубликовано: 20 янв. 2023

Источник: redhat

CVSS3: 7.5

Описание

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

A flaw was found in the rubygem-actionpack. RubyGem's actionpack gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the Action Dispatch module. By sending specially-crafted cookies with an X_FORWARDED_HOST header, a remote attacker could exploit this vulnerability to use large amounts of CPU and memory, resulting in a denial of service.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat 3scale API Management Platform 2	3scale-amp-zync-container	Will not fix
Red Hat Satellite 6.14 for RHEL 8	rubygem-actionpack	Fixed	RHSA-2023:6818	08.11.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-1333

https://bugzilla.redhat.com/show_bug.cgi?id=2164800rubygem-actionpack: Denial of Service in Action Dispatch

7.5 High

CVSS3

Связанные уязвимости

CVE-2023-22792

CVSS3: 7.5

ubuntu

больше 2 лет назад

CVE-2023-22792

CVSS3: 7.5

nvd

больше 2 лет назад

CVE-2023-22792

CVSS3: 7.5

debian

больше 2 лет назад

A regular expression based DoS vulnerability in Action Dispatch <6.0.6 ...

GHSA-p84v-45xj-wwqj

github

больше 2 лет назад

ReDoS based DoS vulnerability in Action Dispatch

BDU:2025-01402

CVSS3: 7.5

fstec

больше 2 лет назад

Уязвимость компонента Action Dispatch программной платформы Ruby on Rails, позволяющая нарушителю вызвать отказ в обслуживании

7.5 High

CVSS3