What is CVE-2021-22902?

CVE-2021-22902 is a Denial of Service vulnerability in Action Dispatch, a component of RubyGem Actionpack.

What is the impact of CVE-2021-22902?

The vulnerability in CVE-2021-22902 can lead to a Denial of Service attack by causing catastrophic backtracking in the mime type parser.

How severe is CVE-2021-22902?

CVE-2021-22902 has a severity rating of 7.5 (High).

Which software versions are affected by CVE-2021-22902?

Actionpack versions 6.1.0 to 6.1.3.1 and 6.0.0 to 6.0.3.6 are affected by CVE-2021-22902.

How can I fix CVE-2021-22902?

To fix CVE-2021-22902, update your Actionpack to version 6.1.3.2 or 6.0.3.7.

Vulnerability/
CVE-2021-22902

high

7.5

CWE

400

5/5/2021

17/8/2023

CVE-2021-22902

First published: Wed May 05 2021(Updated: )

Impact ------ There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- The following monkey patch placed in an initializer can be used to work around the issue. ```ruby module Mime class Type MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/ end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.0 series * 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch - Patch for 6.1 series Please note that only the 6.1.Z, 6.0.Z, and 5.2.Z series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thanks to Security Curious <security...@pm.me> for reporting this!

Credit: support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
redhat/tfm-rubygem-rails	<0:6.0.3.7-1.el7	0:6.0.3.7-1.el7
rubygems/actionpack	>=6.1.0<=6.1.3.1	6.1.3.2
rubygems/actionpack	>=6.0.0<=6.0.3.6	6.0.3.7
Rubyonrails Rails	>=6.0.0<6.0.3.7
Rubyonrails Rails	>=6.1.0<6.1.0.2
debian/rails		2:5.2.2.1+dfsg-1+deb10u3 2:5.2.2.1+dfsg-1+deb10u5 2:6.0.3.7+dfsg-2+deb11u2 2:6.1.7.3+dfsg-1 2:6.1.7.3+dfsg-2

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

RHSA-2021:4702

Frequently Asked Questions

What is CVE-2021-22902?
CVE-2021-22902 is a Denial of Service vulnerability in Action Dispatch, a component of RubyGem Actionpack.
What is the impact of CVE-2021-22902?
The vulnerability in CVE-2021-22902 can lead to a Denial of Service attack by causing catastrophic backtracking in the mime type parser.
How severe is CVE-2021-22902?
CVE-2021-22902 has a severity rating of 7.5 (High).
Which software versions are affected by CVE-2021-22902?
Actionpack versions 6.1.0 to 6.1.3.1 and 6.0.0 to 6.0.3.6 are affected by CVE-2021-22902.
How can I fix CVE-2021-22902?
To fix CVE-2021-22902, update your Actionpack to version 6.1.3.2 or 6.0.3.7.

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/type
agent/weakness
collector/github-advisory
alias/GHSA-g8ww-46x2-2p65
alias/CVE-2021-22902
collector/github-advisory-latest
collector/nvd-cve
collector/nvd-index
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/redhat-cve
collector/security-tracker-debian
package-manager/rubygems
vendor/rubyonrails
canonical/rubyonrails rails
version/rubyonrails rails/6.0.0
version/rubyonrails rails/6.1.0
package-manager/redhat
package-manager/debian