CVE-2024-26142
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2024-26142
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2024-26142.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | trixie | fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| RubyGems | actionpack | !< 7.1.0||<>= 7.1.3.1 | >= 7.1.3.1 |
| RubyGems | actionpack | >=7.1.0,<7.1.3.1 | 7.1.3.1 |
References
- https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
- https://www.suse.com/security/cve/CVE-2024-26142.html
- https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
- https://nvd.nist.gov/vuln/detail/CVE-2024-26142
- https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
- https://github.com/rails/rails
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
- https://security-tracker.debian.org/tracker/CVE-2024-26142
Verify integrity in audit chain (admin only). AS-IS.