Regular Expression DoS Vulnerability in Action Dispatch by Ruby on Rails
CVE-2023-22792

7.5HIGH

Key Information:

Vendor: Rubyonrails
Status: Https://github.com/rails/rails
Vendor: CVE Published:; 9 February 2023

🔔 Create Rubyonrails Vulnerability Alert

What is CVE-2023-22792?

A Denial of Service (DoS) vulnerability has been identified in Action Dispatch affecting various versions of Ruby on Rails. This flaw arises from the handling of specially crafted cookies in conjunction with a modified X_FORWARDED_HOST header, leading to catastrophic backtracking within the regular expression engine. When exploited, an attacker can significantly degrade the performance of the affected system by causing excessive CPU and memory usage, resulting in service interruptions. Users of any susceptible version are strongly advised to upgrade to the latest release or implement recommended workarounds to mitigate this vulnerability.

Affected Version(s)

https://github.com/rails/rails 6.0.6.1, 6.1.7.1, 7.0.4.1

References

https://discuss.rubyonrails.org/t/cve-2023-22792-possible...

https://www.debian.org/security/2023/dsa-5372

vendor-advisory

https://security.netapp.com/advisory/ntap-20240202-0007/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2023
Vulnerability Reserved
Jan 6, 2023