Ruby/actionpack/6.0.0.beta1


Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

https://rubygems.org/gems/actionpack
MIT

12 Security Vulnerabilities

Actionpack has possible cross-site scripting vulnerability via User Supplied Values to redirect_to

Published date: 2023-06-29T15:03:16Z
CVE: CVE-2023-28362
Links:

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

Affected versions: ["7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.1.7", "6.0.6", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

ReDoS based DoS vulnerability in Action Dispatch

Published date: 2023-01-18T18:20:51Z
CVE: CVE-2023-22795
Links:

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases

The FIXED releases are available at the normal locations. Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series

Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Affected versions: ["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.1.7", "6.0.6", "6.0.6.1", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Cross-site Scripting in actionpack

Published date: 2022-10-27T12:00:27Z
CVE: CVE-2022-3704
Links:

actionpack from the Ruby on Rails project is vulnerable to Cross-site Scripting in the Route Error Page. This issue has been patched with this commit.

This vulnerability is disputed by the Rails security team. It requires that the developer is tricked into copy pasting a malicious javascript-containing string into a development-only error page accessible only via localhost.

Affected versions: ["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "7.0.3", "6.1.6", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "7.0.4", "6.1.7", "6.0.6", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8", "6.1.7.9", "6.1.7.10"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

Published date: 2024-10-15T23:35:35Z
CVE: CVE-2024-47887
Links:

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

Affected versions: ["7.2.0", "7.2.1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.1.7", "6.0.6", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Published date: 2024-10-15T23:35:33Z
CVE: CVE-2024-41128
Links:

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Affected versions: ["7.2.0", "7.2.1", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.1.3.4", "7.1.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "7.0.2.3", "7.0.2.4", "7.0.3", "7.0.3.1", "7.0.4", "7.0.4.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.0.8.1", "7.0.8.2", "7.0.8.3", "7.0.8.4", "6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "6.1.5.1", "6.0.4.8", "5.2.7.1", "6.1.6", "6.0.5", "5.2.8", "6.1.6.1", "6.0.5.1", "5.2.8.1", "6.1.7", "6.0.6", "6.1.7.1", "6.0.6.1", "6.1.7.2", "6.1.7.3", "6.1.7.4", "6.1.7.6", "6.1.7.5", "6.1.7.7", "6.1.7.8"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Possible Strong Parameters Bypass in ActionPack

Published date: 2020-05-18
Framework: rails
CVE: 2020-8164
CVSS V3: 7.5
Links:

There is a strong parameters bypass vector in ActionPack.

Versions Affected: rails <= 6.0.3 Not affected: rails < 4.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of each, or each_value, or each_pair will return the underlying untrusted hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.

Impacted code will look something like this:

def update
  # Attacker has included the parameter: `{ is_admin: true }`
  User.update(clean_up_params)
end

def clean_up_params
   params.each { |k, v|  SomeModel.check(v) if k == :name }
end

Note the mistaken use of each in the clean_up_params method in the above example.

Workarounds

Do not use the return values of each, each_value, or each_pair in your application.

Affected versions: ["6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Ability to forge per-form CSRF tokens given a global CSRF token

Published date: 2020-05-18
Framework: rails
CVE: 2020-8166
CVSS V3: 4.3
Links:

It is possible to possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.

Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications without existing HTML injection vulnerabilities. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1

Impact

Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.

Workarounds

This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.

Affected versions: ["6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

ReDoS based DoS vulnerability in Action Dispatch

Published date: 2023-01-18
Framework: rails
CVE: 2023-22792
Links:

There is a possible regular expression based DoS vulnerability in Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2023-22792.

Versions Affected: >= 3.0.0 Not affected: < 3.0.0 Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

Specially crafted cookies, in combination with a specially crafted XFORWARDEDHOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious XFORWARDEDHOST headers before they reach the application.

Affected versions: ["6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "6.0.3.5", "6.0.3.6", "6.0.3.7", "6.0.4", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.0.4.2", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "7.0.2.4", "6.0.4.8", "7.0.3", "6.0.5", "7.0.3.1", "6.0.5.1", "7.0.4", "6.0.6", "6.0.6.1"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

ReDoS based DoS vulnerability in Action Dispatch

Published date: 2023-01-18
Framework: rails
CVE: 2023-22795
Links:

There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.

Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

Impact

A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.

Users on Ruby 3.2.0 or greater are not affected by this vulnerability.

Affected versions: ["6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0", "6.0.3.5", "6.0.3.6", "6.0.3.7", "6.0.4", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.0.4.3", "6.0.4.2", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.0.4.6", "6.0.4.5", "7.0.2.3", "6.0.4.7", "7.0.2.4", "6.0.4.8", "7.0.3", "6.0.5", "7.0.3.1", "6.0.5.1", "7.0.4", "6.0.6", "6.0.6.1"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Possible XSS via User Supplied Values to redirect_to

Published date: 2023-06-26
Framework: rails
CVE: 2023-28362
Links:

The redirect_to method in Rails allows provided values to contain characters which are not legal in an HTTP header value. This results in the potential for downstream services which enforce RFC compliance on HTTP response headers to remove the assigned Location header. This vulnerability has been assigned the CVE identifier CVE-2023-28362.

Versions Affected: All. Not affected: None Fixed Versions: 7.0.5.1, 6.1.7.4

Impact

This introduces the potential for a Cross-site-scripting (XSS) payload to be delivered on the now static redirection page. Note that this both requires user interaction and for a Rails app to be configured to allow redirects to external hosts (defaults to false in Rails >= 7.0.x).

Releases

The FIXED releases are available at the normal locations.

Workarounds

Avoid providing user supplied URLs with arbitrary schemes to the redirect_to method.

Affected versions: ["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "3.1.0.rc8", "3.1.0.rc6", "3.1.0.rc5", "3.1.0.rc4", "3.1.0.rc3", "3.1.0.rc2", "3.1.0.rc1", "3.1.0.beta1", "3.0.20", "3.0.19", "3.0.18", "3.0.17", "3.0.16", "3.0.15", "3.0.14", "3.0.13", "3.0.13.rc1", "3.0.12", "3.0.12.rc1", "3.0.11", "3.0.10", "3.0.10.rc1", "3.0.9", "3.0.9.rc5", "3.0.9.rc4", "3.0.9.rc3", "3.0.9.rc1", "3.0.8", "3.0.8.rc4", "3.0.8.rc2", "3.0.8.rc1", "3.0.7", "3.0.7.rc2", "3.0.7.rc1", "3.0.6", "3.0.6.rc2", "3.0.6.rc1", "3.0.5", "3.0.5.rc1", "3.0.4", "3.0.4.rc1", "3.0.3", "3.0.2", "3.0.1", "3.0.0", "3.0.0.rc2", "3.0.0.rc", "3.0.0.beta4", "3.0.0.beta3", "3.0.0.beta2", "3.0.0.beta", "2.3.18", "2.3.17", "2.3.16", "2.3.15", "2.3.14", "2.3.12", "2.3.11", "2.3.10", "2.3.9", "2.3.9.pre", "2.3.8", "2.3.8.pre1", "2.3.7", "2.3.6", "2.3.5", "2.3.4", "2.3.3", "2.3.2", "2.2.3", "2.2.2", "2.1.2", "2.1.1", "2.1.0", "2.0.5", "2.0.4", "2.0.2", "2.0.1", "2.0.0", "1.13.6", "1.13.5", "1.13.4", "1.13.3", "1.13.2", "1.13.1", "1.13.0", "1.12.5", "1.12.4", "1.12.3", "1.12.2", "1.12.1", "1.12.0", "1.11.2", "1.11.1", "1.11.0", "1.10.2", "1.10.1", "1.9.1", "1.9.0", "1.8.1", "1.8.0", "1.7.0", "1.6.0", "1.5.1", "1.5.0", "1.4.0", "1.3.1", "1.3.0", "1.2.0", "1.1.0", "1.0.1", "1.0.0", "0.9.5", "0.9.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "7.0.3", "6.1.6", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "7.0.4", "6.1.7", "6.0.6", "7.0.4.1", "6.0.6.1", "7.0.4.2", "7.0.4.3", "7.0.5"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Published date: 2024-10-15
Framework: rails
CVE: 2024-41128
Links:

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Affected versions: ["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "4.0.0.rc2", "4.0.0.rc1", "4.0.0.beta1", "3.2.22.5", "3.2.22.4", "3.2.22.3", "3.2.22.2", "3.2.22.1", "3.2.22", "3.2.21", "3.2.20", "3.2.19", "3.2.18", "3.2.17", "3.2.16", "3.2.15", "3.2.15.rc3", "3.2.15.rc2", "3.2.15.rc1", "3.2.14", "3.2.14.rc2", "3.2.14.rc1", "3.2.13", "3.2.13.rc2", "3.2.13.rc1", "3.2.12", "3.2.11", "3.2.10", "3.2.9", "3.2.9.rc3", "3.2.9.rc2", "3.2.9.rc1", "3.2.8", "3.2.8.rc2", "3.2.8.rc1", "3.2.7", "3.2.7.rc1", "3.2.6", "3.2.5", "3.2.4", "3.2.4.rc1", "3.2.3", "3.2.3.rc2", "3.2.3.rc1", "3.2.2", "3.2.2.rc1", "3.2.1", "3.2.0", "3.2.0.rc2", "3.2.0.rc1", "3.1.12", "3.1.11", "3.1.10", "3.1.9", "3.1.8", "3.1.7", "3.1.6", "3.1.5", "3.1.5.rc1", "3.1.4", "3.1.4.rc1", "3.1.3", "3.1.2", "3.1.2.rc2", "3.1.2.rc1", "3.1.1", "3.1.1.rc3", "3.1.1.rc2", "3.1.1.rc1", "3.1.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "7.0.3", "6.1.6", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "7.0.4", "6.1.7", "6.0.6", "7.0.4.1", "6.0.6.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

Published date: 2024-10-15
Framework: rails
CVE: 2024-47887
Links:

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

Affected versions: ["6.1.0.rc1", "6.0.3.4", "6.0.3.3", "6.0.3.2", "6.0.3.1", "6.0.3", "6.0.3.rc1", "6.0.2.2", "6.0.2.1", "6.0.2", "6.0.2.rc2", "6.0.2.rc1", "6.0.1", "6.0.1.rc1", "6.0.0", "6.0.0.rc2", "6.0.0.rc1", "6.0.0.beta3", "6.0.0.beta2", "6.0.0.beta1", "5.2.4.4", "5.2.4.3", "5.2.4.2", "5.2.4.1", "5.2.4", "5.2.4.rc1", "5.2.3", "5.2.3.rc1", "5.2.2.1", "5.2.2", "5.2.2.rc1", "5.2.1.1", "5.2.1", "5.2.1.rc1", "5.2.0", "5.2.0.rc2", "5.2.0.rc1", "5.2.0.beta2", "5.2.0.beta1", "5.1.7", "5.1.7.rc1", "5.1.6.2", "5.1.6.1", "5.1.6", "5.1.5", "5.1.5.rc1", "5.1.4", "5.1.4.rc1", "5.1.3", "5.1.3.rc3", "5.1.3.rc2", "5.1.3.rc1", "5.1.2", "5.1.2.rc1", "5.1.1", "5.1.0", "5.1.0.rc2", "5.1.0.rc1", "5.1.0.beta1", "5.0.7.2", "5.0.7.1", "5.0.7", "5.0.6", "5.0.6.rc1", "5.0.5", "5.0.5.rc2", "5.0.5.rc1", "5.0.4", "5.0.4.rc1", "5.0.3", "5.0.2", "5.0.2.rc1", "5.0.1", "5.0.1.rc2", "5.0.1.rc1", "5.0.0.1", "5.0.0", "5.0.0.rc2", "5.0.0.rc1", "5.0.0.racecar1", "5.0.0.beta4", "5.0.0.beta3", "5.0.0.beta2", "5.0.0.beta1.1", "5.0.0.beta1", "4.2.11.3", "4.2.11.2", "4.2.11.1", "4.2.11", "4.2.10", "4.2.10.rc1", "4.2.9", "4.2.9.rc2", "4.2.9.rc1", "4.2.8", "4.2.8.rc1", "4.2.7.1", "4.2.7", "4.2.7.rc1", "4.2.6", "4.2.6.rc1", "4.2.5.2", "4.2.5.1", "4.2.5", "4.2.5.rc2", "4.2.5.rc1", "4.2.4", "4.2.4.rc1", "4.2.3", "4.2.3.rc1", "4.2.2", "4.2.1", "4.2.1.rc4", "4.2.1.rc3", "4.2.1.rc2", "4.2.1.rc1", "4.2.0", "4.2.0.rc3", "4.2.0.rc2", "4.2.0.rc1", "4.2.0.beta4", "4.2.0.beta3", "4.2.0.beta2", "4.2.0.beta1", "4.1.16", "4.1.16.rc1", "4.1.15", "4.1.15.rc1", "4.1.14.2", "4.1.14.1", "4.1.14", "4.1.14.rc2", "4.1.14.rc1", "4.1.13", "4.1.13.rc1", "4.1.12", "4.1.12.rc1", "4.1.11", "4.1.10", "4.1.10.rc4", "4.1.10.rc3", "4.1.10.rc2", "4.1.10.rc1", "4.1.9", "4.1.9.rc1", "4.1.8", "4.1.7.1", "4.1.7", "4.1.6", "4.1.6.rc2", "4.1.6.rc1", "4.1.5", "4.1.4", "4.1.3", "4.1.2", "4.1.2.rc3", "4.1.2.rc2", "4.1.2.rc1", "4.1.1", "4.1.0", "4.1.0.rc2", "4.1.0.rc1", "4.1.0.beta2", "4.1.0.beta1", "4.0.13", "4.0.13.rc1", "4.0.12", "4.0.11.1", "4.0.11", "4.0.10", "4.0.10.rc2", "4.0.10.rc1", "4.0.9", "4.0.8", "4.0.7", "4.0.6", "4.0.6.rc3", "4.0.6.rc2", "4.0.6.rc1", "4.0.5", "4.0.4", "4.0.4.rc1", "4.0.3", "4.0.2", "4.0.1", "4.0.1.rc4", "4.0.1.rc3", "4.0.1.rc2", "4.0.1.rc1", "4.0.0", "6.1.0.rc2", "6.1.0", "6.1.1", "6.1.2", "6.1.2.1", "6.0.3.5", "5.2.4.5", "6.1.3", "6.1.3.1", "6.0.3.6", "5.2.5", "6.1.3.2", "6.0.3.7", "5.2.6", "5.2.4.6", "6.0.4", "6.1.4", "6.1.4.1", "6.0.4.1", "7.0.0.alpha2", "7.0.0.alpha1", "7.0.0.rc1", "7.0.0.rc3", "7.0.0.rc2", "6.1.4.3", "6.1.4.2", "6.0.4.3", "6.0.4.2", "6.1.4.4", "6.0.4.4", "7.0.0", "7.0.1", "7.0.2", "7.0.2.2", "7.0.2.1", "6.1.4.6", "6.1.4.5", "6.0.4.6", "6.0.4.5", "5.2.6.2", "5.2.6.1", "7.0.2.3", "6.1.4.7", "6.0.4.7", "5.2.6.3", "6.1.5", "5.2.7", "7.0.2.4", "6.1.5.1", "6.0.4.8", "5.2.7.1", "7.0.3", "6.1.6", "6.0.5", "5.2.8", "7.0.3.1", "6.1.6.1", "6.0.5.1", "5.2.8.1", "7.0.4", "6.1.7", "6.0.6", "7.0.4.1", "6.0.6.1", "7.0.4.2", "7.0.4.3", "7.0.5", "7.0.5.1", "7.0.6", "7.0.7", "7.0.7.2", "7.0.7.1", "7.0.8", "7.1.0.beta1", "7.1.0.rc1", "7.1.0.rc2", "7.1.0", "7.1.1", "7.1.2", "7.1.3", "7.1.3.2", "7.1.3.1", "7.1.3.3", "7.2.0.beta1", "7.2.0.beta2", "7.1.3.4", "7.2.0.beta3", "7.2.0.rc1", "7.2.0", "7.2.1", "7.1.4"]
Secure versions: [8.0.0.beta1, 7.2.1.1, 7.1.4.1, 7.0.8.5, 8.0.0.rc1, 7.2.1.2, 7.1.4.2, 7.0.8.6, 8.0.0.rc2, 7.2.2, 7.1.5]
Recommendation: Update to version 7.2.2.

490 Other Versions

Version License Security Released
8.0.0.rc2 MIT 2024-10-30 - 00:31 2 days
8.0.0.rc1 MIT 2024-10-19 - 01:43 13 days
8.0.0.beta1 MIT 2024-09-26 - 15:05 about 1 month
7.2.2 MIT 2024-10-31 - 01:47 about 21 hours
7.2.1.2 MIT 2024-10-23 - 22:34 8 days
7.2.1.1 MIT 2024-10-15 - 20:46 16 days
7.2.1 MIT 4 2024-08-22 - 19:46 2 months
7.2.0 MIT 4 2024-08-09 - 23:26 3 months
7.2.0.rc1 MIT 2 2024-08-06 - 17:01 3 months
7.2.0.beta3 MIT 2 2024-07-11 - 15:20 4 months
7.2.0.beta2 MIT 2 2024-06-04 - 18:14 5 months
7.2.0.beta1 MIT 4 2024-05-29 - 23:38 5 months
7.1.5 MIT 2024-10-31 - 01:34 about 21 hours
7.1.4.2 MIT 2024-10-23 - 22:29 8 days
7.1.4.1 MIT 2024-10-15 - 20:40 16 days
7.1.4 MIT 4 2024-08-22 - 21:27 2 months
7.1.3.4 MIT 4 2024-06-04 - 18:00 5 months
7.1.3.3 MIT 5 2024-05-16 - 19:22 6 months
7.1.3.2 MIT 5 2024-02-21 - 21:46 8 months
7.1.3.1 MIT 5 2024-02-21 - 18:46 8 months
7.1.3 MIT 9 2024-01-16 - 22:54 10 months
7.1.2 MIT 9 2023-11-10 - 21:50 12 months
7.1.1 MIT 9 2023-10-11 - 22:17 about 1 year
7.1.0 MIT 9 2023-10-05 - 08:07 about 1 year
7.1.0.rc2 MIT 3 2023-10-01 - 22:00 about 1 year
7.1.0.rc1 MIT 3 2023-09-27 - 04:01 about 1 year
7.1.0.beta1 MIT 3 2023-09-13 - 00:40 about 1 year
7.0.8.6 MIT 2024-10-23 - 22:23 8 days
7.0.8.5 MIT 2024-10-15 - 20:28 16 days
7.0.8.4 MIT 2 2024-06-04 - 17:56 5 months
7.0.8.3 MIT 3 2024-05-17 - 19:53 6 months
7.0.8.2 MIT 3 2024-05-16 - 18:58 6 months
7.0.8.1 MIT 3 2024-02-21 - 18:42 8 months
7.0.8 MIT 6 2023-09-09 - 19:12 about 1 year
7.0.7.2 MIT 6 2023-08-22 - 20:10 about 1 year
7.0.7.1 MIT 6 2023-08-22 - 17:20 about 1 year
7.0.7 MIT 6 2023-08-09 - 23:57 about 1 year
7.0.6 MIT 6 2023-06-29 - 20:56 over 1 year
7.0.5.1 MIT 6 2023-06-26 - 21:42 over 1 year
7.0.5 MIT 8 2023-05-24 - 19:11 over 1 year
7.0.4.3 MIT 8 2023-03-13 - 18:53 over 1 year
7.0.4.2 MIT 8 2023-01-25 - 03:14 almost 2 years
7.0.4.1 MIT 8 2023-01-17 - 18:55 almost 2 years
7.0.4 MIT 15 2022-09-09 - 18:42 about 2 years
7.0.3.1 MIT 15 2022-07-12 - 17:31 over 2 years
7.0.3 MIT 15 2022-05-09 - 13:40 over 2 years
7.0.2.4 MIT 15 2022-04-26 - 19:33 over 2 years
7.0.2.3 MIT 17 2022-03-08 - 17:50 over 2 years
7.0.2.2 MIT 17 2022-02-11 - 19:43 over 2 years
7.0.2.1 MIT 19 2022-02-11 - 18:18 over 2 years
7.0.2 MIT 19 2022-02-08 - 23:12 over 2 years
7.0.1 MIT 19 2022-01-06 - 21:54 almost 3 years
7.0.0 MIT 19 2021-12-15 - 23:43 almost 3 years
7.0.0.rc3 MIT 8 2021-12-14 - 23:04 almost 3 years
7.0.0.rc2 MIT 8 2021-12-14 - 19:39 almost 3 years
7.0.0.rc1 MIT 9 2021-12-06 - 21:31 almost 3 years
7.0.0.alpha2 MIT 9 2021-09-15 - 23:15 about 3 years
7.0.0.alpha1 MIT 9 2021-09-15 - 21:56 about 3 years
6.1.7.10 MIT 1 2024-10-23 - 21:58 8 days
6.1.7.9 MIT 1 2024-10-15 - 21:25 16 days
6.1.7.8 MIT 3 2024-06-04 - 17:55 5 months
6.1.7.7 MIT 4 2024-02-21 - 18:39 8 months
6.1.7.6 MIT 4 2023-08-22 - 20:07 about 1 year
6.1.7.5 MIT 4 2023-08-22 - 17:15 about 1 year
6.1.7.4 MIT 4 2023-06-26 - 21:31 over 1 year
6.1.7.3 MIT 5 2023-03-13 - 18:48 over 1 year
6.1.7.2 MIT 5 2023-01-25 - 03:23 almost 2 years
6.1.7.1 MIT 5 2023-01-17 - 18:54 almost 2 years
6.1.7 MIT 10 2022-09-09 - 18:38 about 2 years
6.1.6.1 MIT 10 2022-07-12 - 17:29 over 2 years
6.1.6 MIT 10 2022-05-09 - 13:45 over 2 years
6.1.5.1 MIT 10 2022-04-26 - 19:30 over 2 years
6.1.5 MIT 11 2022-03-10 - 21:16 over 2 years
6.1.4.7 MIT 11 2022-03-08 - 17:48 over 2 years
6.1.4.6 MIT 11 2022-02-11 - 19:41 over 2 years
6.1.4.5 MIT 12 2022-02-11 - 18:22 over 2 years
6.1.4.4 MIT 12 2021-12-15 - 22:53 almost 3 years
6.1.4.3 MIT 12 2021-12-14 - 23:02 almost 3 years
6.1.4.2 MIT 12 2021-12-14 - 19:49 almost 3 years
6.1.4.1 MIT 13 2021-08-19 - 16:25 about 3 years
6.1.4 MIT 15 2021-06-24 - 20:40 over 3 years
6.1.3.2 MIT 15 2021-05-05 - 15:34 over 3 years
6.1.3.1 MIT 23 2021-03-26 - 18:06 over 3 years
6.1.3 MIT 23 2021-02-17 - 18:41 over 3 years
6.1.2.1 MIT 23 2021-02-10 - 20:44 over 3 years
6.1.2 MIT 25 2021-02-09 - 21:28 over 3 years
6.1.1 MIT 25 2021-01-07 - 22:59 almost 4 years
6.1.0 MIT 25 2020-12-09 - 19:57 almost 4 years
6.1.0.rc2 MIT 16 2020-12-01 - 22:01 almost 4 years
6.1.0.rc1 MIT 14 2020-11-02 - 21:20 almost 4 years
6.0.6.1 MIT 11 2023-01-17 - 18:53 almost 2 years
6.0.6 MIT 11 2022-09-09 - 18:32 about 2 years
6.0.5.1 MIT 11 2022-07-12 - 17:28 over 2 years
6.0.5 MIT 11 2022-05-09 - 13:50 over 2 years
6.0.4.8 MIT 11 2022-04-26 - 19:27 over 2 years
6.0.4.7 MIT 12 2022-03-08 - 17:47 over 2 years
6.0.4.6 MIT 12 2022-02-11 - 19:39 over 2 years
6.0.4.5 MIT 13 2022-02-11 - 18:24 over 2 years
6.0.4.4 MIT 13 2021-12-15 - 22:46 almost 3 years
6.0.4.3 MIT 13 2021-12-14 - 23:00 almost 3 years