CVE-2023-22799
First published: Wed Jan 18 2023(Updated: )
There is a ReDoS based DoS vulnerability in the GlobalID gem. This vulnerability has been assigned the CVE identifier CVE-2023-22799. Versions Affected: >= 0.2.1 Not affected: NOTAFFECTED Fixed Versions: 1.0.1 Impact There is a possible DoS vulnerability in the model name parsing section of the GlobalID gem. Carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases The FIXED releases are available at the normal locations. Workarounds There are no feasible workarounds for this issue. Patches To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. 1-0-model-name-redos.patch - Patch for 1.0 series
Credit: support@hackerone.com support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rubyonrails Globalid | >=0.2.1<1.0.1 | |
| redhat/rubygem-globalid | <1.0.1 | 1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/rails/globalid/releases/tag/v1.0.1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/globalid/CVE-2023-22799.yml
- https://nvd.nist.gov/vuln/detail/CVE-2023-22799
- https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
- https://github.com/rails/globalid/commit/4a75ecbfd73a8e92e32a1723b81a17e3136bd8fc
- https://github.com/advisories/GHSA-23c2-gwp5-pxw9 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2164731
- https://access.redhat.com/errata/RHSA-2023:6818
- https://bugzilla.redhat.com/show_bug.cgi?id=2164730
Frequently Asked Questions
What is CVE-2023-22799?
CVE-2023-22799 is a ReDoS based DoS vulnerability in the GlobalID gem.
What is the severity of CVE-2023-22799?
The severity of CVE-2023-22799 is high with a CVSS score of 7.5.
How does CVE-2023-22799 impact the GlobalID gem?
CVE-2023-22799 could allow an attacker supplying a carefully crafted string to cause a Denial of Service (DoS) in the model name parsing section of the GlobalID gem.
Which versions of GlobalID are affected by CVE-2023-22799?
Versions >= 0.2.1 of the GlobalID gem are affected by CVE-2023-22799.
How do I fix CVE-2023-22799?
To fix CVE-2023-22799, upgrade to version 1.0.1 of the GlobalID gem.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- alias/GHSA-23c2-gwp5-pxw9
- alias/CVE-2023-22799
- collector/github-advisory-latest
- collector/nvd-cve
- collector/nvd-index
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- package-manager/rubygems
- vendor/rubyonrails
- canonical/rubyonrails globalid
- version/rubyonrails globalid/0.2.1
- package-manager/redhat