CVE-2023-22799
First published: Wed Jan 18 2023(Updated: )
A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/globalid | >=0.2.1<1.0.1 | 1.0.1 |
| redhat/rubygem-globalid | <1.0.1 | 1.0.1 |
| Rubyonrails Globalid Ruby | >=0.2.1<1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rails/globalid/releases/tag/v1.0.1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/globalid/CVE-2023-22799.yml
- https://nvd.nist.gov/vuln/detail/CVE-2023-22799
- https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
- https://github.com/rails/globalid/commit/4a75ecbfd73a8e92e32a1723b81a17e3136bd8fc
- https://github.com/advisories/GHSA-23c2-gwp5-pxw9 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2164731
- https://access.redhat.com/errata/RHSA-2023:6818
- https://bugzilla.redhat.com/show_bug.cgi?id=2164730
Frequently Asked Questions
What is CVE-2023-22799?
CVE-2023-22799 is a ReDoS based DoS vulnerability in the GlobalID gem.
What is the severity of CVE-2023-22799?
The severity of CVE-2023-22799 is high with a CVSS score of 7.5.
How does CVE-2023-22799 impact the GlobalID gem?
CVE-2023-22799 could allow an attacker supplying a carefully crafted string to cause a Denial of Service (DoS) in the model name parsing section of the GlobalID gem.
Which versions of GlobalID are affected by CVE-2023-22799?
Versions >= 0.2.1 of the GlobalID gem are affected by CVE-2023-22799.
How do I fix CVE-2023-22799?
To fix CVE-2023-22799, upgrade to version 1.0.1 of the GlobalID gem.
- collector/github-advisory-latest
- alias/GHSA-23c2-gwp5-pxw9
- alias/CVE-2023-22799
- collector/github-advisory
- agent/author
- agent/last-modified-date
- agent/first-publish-date
- agent/type
- agent/weakness
- agent/references
- agent/severity
- agent/remedy
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/event
- agent/trending
- agent/description
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- agent/source
- package-manager/rubygems
- package-manager/redhat
- vendor/rubyonrails
- canonical/rubyonrails globalid ruby
- version/rubyonrails globalid ruby/0.2.1