CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47889 – Action Mailer has possible ReDoS vulnerability in block_format
https://notcve.org/view.php?id=CVE-2024-47889
16 Oct 2024 — Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patc... • https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-47887 – Action Controller has possible ReDoS vulnerability in HTTP Token authentication
https://notcve.org/view.php?id=CVE-2024-47887
16 Oct 2024 — Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an a... • https://github.com/rails/rails/commit/56b2fc3302836405b496e196a8d5fc0195e55049 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-41128 – Action Dispatch has possible ReDoS vulnerability in query parameter filtering
https://notcve.org/view.php?id=CVE-2024-41128
16 Oct 2024 — Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, ... • https://access.redhat.com/security/cve/cve-2024-41128 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.8EPSS: 4%CPEs: 4EXPL: 0CVE-2023-22795 – rubygem-actionpack: Denial of Service in Action Dispatch
https://notcve.org/view.php?id=CVE-2023-22795
09 Feb 2023 — A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. A flaw ... • https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2023-22792 – rubygem-actionpack: Denial of Service in Action Dispatch
https://notcve.org/view.php?id=CVE-2023-22792
09 Feb 2023 — A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. A flaw was found in the ru... • https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-25015
https://notcve.org/view.php?id=CVE-2023-25015
02 Feb 2023 — Clockwork Web before 0.1.2, when Rails before 5.2 is used, allows CSRF. • https://github.com/ankane/clockwork_web/commit/ec2896503ee231588547c2fad4cb93a94e78f857 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2021-22904 – rails: Possible DoS Vulnerability in Action Controller Token Authentication
https://notcve.org/view.php?id=CVE-2021-22904
11 Jun 2021 — The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. El actionpack ruby gem versiones anteriores a 6.1.3.2, 6.0.3.7, 5.2.4.6 y 5.2.6, sufre una posible vulnerabilidad de denegación de servicio en la lógica de autenticación ... • https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 2CVE-2021-22880 – Debian Security Advisory 4929-1
https://notcve.org/view.php?id=CVE-2021-22880
11 Feb 2021 — The PostgreSQL adapter in Active Record before 6.1.2.1, 6.0.3.5, 5.2.4.5 suffers from a regular expression denial of service (REDoS) vulnerability. Carefully crafted input can cause the input validation in the `money` type of the PostgreSQL adapter in Active Record to spend too much time in a regular expression, resulting in the potential for a DoS attack. This only impacts Rails applications that are using PostgreSQL along with money type columns that take user input. El adaptador PostgreSQL en Active Reco... • https://github.com/halkichi0308/CVE-2021-22880 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 4.3EPSS: 0%CPEs: 3EXPL: 1CVE-2020-8166 – rubygem-actionpack: ability to forge per-form CSRF tokens given a global CSRF token
https://notcve.org/view.php?id=CVE-2020-8166
02 Jul 2020 — A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token. Se presenta una vulnerabilidad de falsificación CSRF en rails versiones anteriores a 5.2.5, rails versiones anteriores a 6.0.4 que hace posible para un atacante, dado un token CSRF global como el presente en la etiqueta meta de authenticity_token, forjar un token CSRF per-form A flaw w... • https://groups.google.com/g/rubyonrails-security/c/NOjKiGeXUgw • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.8EPSS: 96%CPEs: 2EXPL: 8CVE-2020-8163 – Rails 5.0.1 - Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-8163
02 Jul 2020 — The is a code injection vulnerability in versions of Rails prior to 5.0.1 that wouldallow an attacker who controlled the `locals` argument of a `render` call to perform a RCE. Se trata de una vulnerabilidad de inyección de código en versiones de Rails anteriores a 5.0.1, que permitiría a un atacante que controlara el argumento "locals" de una llamada "render" para realizar un RCE • https://packetstorm.news/files/id/158604 • CWE-94: Improper Control of Generation of Code ('Code Injection') •