CVE-2023-22795

Опубликовано: 20 янв. 2023

Источник: redhat

CVSS3: 7.5

EPSS Низкий

Описание

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

A flaw was found in the rubygem-actionpack. RubyGem's actionpack gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in Action Dispatch related to the If-None-Match header. By sending a specially-crafted HTTP If-None-Match header, a remote attacker can use large amounts of CPU and memory, resulting in a denial of service.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat 3scale API Management Platform 2	3scale-amp-zync-container	Will not fix
Red Hat Satellite 6.14 for RHEL 8	rubygem-actionpack	Fixed	RHSA-2023:6818	08.11.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-1333

https://bugzilla.redhat.com/show_bug.cgi?id=2164799rubygem-actionpack: Denial of Service in Action Dispatch

EPSS

Процентиль: 72%

0.00757

Низкий

7.5 High

CVSS3

Связанные уязвимости

CVE-2023-22795

CVSS3: 7.5

ubuntu

больше 2 лет назад

CVE-2023-22795

CVSS3: 7.5

nvd

больше 2 лет назад

CVE-2023-22795

CVSS3: 7.5

msrc

больше 2 лет назад

Описание отсутствует

CVE-2023-22795

CVSS3: 7.5

debian

больше 2 лет назад

A regular expression based DoS vulnerability in Action Dispatch <6.1.7 ...

GHSA-8xww-x3g3-6jcv

github

больше 2 лет назад

ReDoS based DoS vulnerability in Action Dispatch

EPSS

Процентиль: 72%

0.00757

Низкий

7.5 High

CVSS3