CVE-2024-26142: Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch
First published: Tue Feb 27 2024(Updated: )
# Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 Impact ------ Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-1-accept-redox.patch - Patch for 7.1 series Credits ------- Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| rubygems/actionpack | >=7.1.0<7.1.3.1 | 7.1.3.1 |
| All of | ||
| Ruby on Rails | >=7.1.0<7.1.3.1 | |
| Ruby | <3.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
- https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
- https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
- https://nvd.nist.gov/vuln/detail/CVE-2024-26142
- https://github.com/advisories/GHSA-jjhx-jhvp-74wq (Advisory)
- https://security.netapp.com/advisory/ntap-20240503-0003/
Frequently Asked Questions
What is the severity of CVE-2024-26142?
CVE-2024-26142 has a medium severity rating due to the potential for a ReDoS attack.
How do I fix CVE-2024-26142?
To fix CVE-2024-26142, upgrade Action Dispatch to version 7.1.3.1 or later.
Which versions are affected by CVE-2024-26142?
CVE-2024-26142 affects Action Dispatch versions from 7.1.0 to 7.1.3.
What consequences might I face if I do not address CVE-2024-26142?
If not addressed, CVE-2024-26142 may allow attackers to exploit the vulnerability, potentially causing denial of service.
Is my application vulnerable to CVE-2024-26142?
Your application is vulnerable to CVE-2024-26142 if it uses Action Dispatch versions between 7.1.0 and 7.1.3.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/severity
- agent/description
- agent/author
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jjhx-jhvp-74wq
- alias/CVE-2024-26142
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/trending
- agent/source
- agent/remedy
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- package-manager/rubygems
- vendor/rubyonrails
- canonical/ruby on rails
- version/ruby on rails/7.1.0
- vendor/ruby-lang
- canonical/ruby