Possible DoS Vulnerability in Action Controller's HTTP Token Authentication
CVE-2024-47887
What is CVE-2024-47887?
A potential ReDoS vulnerability exists within the Action Pack framework of Ruby on Rails, specifically affecting versions beginning with 4.0.0 and extending to versions prior to 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1. This vulnerability arises when using HTTP Token authentication through methods such as authenticate_or_request_with_http_token. An attacker can craft a malicious header that may lead to significant delays in header parsing, effectively resulting in a Denial of Service condition. It is essential for users of affected versions to either upgrade to the patched releases or implement the relevant security patches immediately. Alternatively, utilizing Ruby 3.2 can serve as a temporary workaround, as it contains necessary mitigations. Rails 8.0.0.beta1, depending on Ruby 3.2 or greater, is also not affected by this issue.
Affected Version(s)
rails >= 4.0.0, < 6.1.7.9 < 4.0.0, 6.1.7.9
rails >= 7.0.0, < 7.0.8.5 < 7.0.0, 7.0.8.5
rails >= 7.1.0, < 7.1.4.1 < 7.1.0, 7.1.4.1