49 results (0.006 seconds)

CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. • https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94 https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3 https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9 https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6 • CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 6.6EPSS: 0%CPEs: 4EXPL: 0

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. • https://access.redhat.com/security/cve/cve-2024-41128 https://bugzilla.redhat.com/show_bug.cgi?id=2319036 https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075 https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891 https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj • CWE-770: Allocation of Resources Without Limits or Throttling •

CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. A flaw was found in the rubygem-actionpack. RubyGem's actionpack gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the Action Dispatch module. • https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115 https://security.netapp.com/advisory/ntap-20240202-0007 https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2023-22792 https://bugzilla.redhat.com/show_bug.cgi?id=2164800 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 7.5EPSS: 3%CPEs: 4EXPL: 0

A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. A flaw was found in the rubygem-actionpack. RubyGem's actionpack gem is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in Action Dispatch related to the If-None-Match header. • https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 https://security.netapp.com/advisory/ntap-20240202-0010 https://www.debian.org/security/2023/dsa-5372 https://access.redhat.com/security/cve/CVE-2023-22795 https://bugzilla.redhat.com/show_bug.cgi?id=2164799 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF. • https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857 https://github.com/ankane/clockwork_web/compare/v0.1.1...v0.1.2 https://github.com/ankane/clockwork_web/issues/4 • CWE-352: Cross-Site Request Forgery (CSRF) •