CVE-2021-22902 — Uncontrolled Resource Consumption in Rails

CWE-400 — Uncontrolled Resource Consumption7 documents6 sources

Severity

7.5HIGHNVD

EPSS

1.1%

top 22.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Actionpack Project Actionpack Https Github.com Rails Rails

Timeline

PublishedJun 11

Description

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

▶RubyGemsactionpack_project/actionpack6.0.0 — 6.0.3.7+1

▶NVDrubyonrails/rails6.0.0 — 6.0.3.7+1

▶Debianrubyonrails/rails< 2:6.0.3.7+dfsg-1+3

▶CVEListV5https/github.com_rails_railsFixed in 6.0.3.7, 6.1.3.2

Patches

Patch: discuss.rubyonrails.org ↗Patch: discuss.rubyonrails.org ↗

🔴Vulnerability Details

OSV

CVE-2021-22902: The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6↗2021-06-11

▶

CVEList

CVE-2021-22902: The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6↗2021-06-11

▶

OSV

Denial of Service in Action Dispatch↗2021-05-05

▶

GHSA

Denial of Service in Action Dispatch↗2021-05-05

▶

📋Vendor Advisories

Red Hat

rails: Possible Denial of Service vulnerability in Action Dispatch↗2021-05-05

▶

Debian

CVE-2021-22902: rails - The actionpack ruby gem (a framework for handling and responding to web requests...↗2021

▶