Vulnerability-Lookup

CVE-2024-41128 (GCVE-0-2024-41128)

Vulnerability from cvelistv5 – Published: 2024-10-16 18:04 – Updated: 2024-10-17 17:11

Title

Action Dispatch has possible ReDoS vulnerability in query parameter filtering

Summary

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Severity ?

6.6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

GitHub_M

References

URL

Tags

	https://github.com/rails/rails/security/advisorie…	x_refsource_CONFIRM
	https://github.com/rails/rails/commit/27121e80f6d…	x_refsource_MISC
	https://github.com/rails/rails/commit/b0fe99fa854…	x_refsource_MISC
	https://github.com/rails/rails/commit/b1241f468d1…	x_refsource_MISC
	https://github.com/rails/rails/commit/fb493bebae1…	x_refsource_MISC
	https://access.redhat.com/security/cve/cve-2024-41128	x_refsource_MISC
	https://bugzilla.redhat.com/show_bug.cgi?id=2319036	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	rails	rails	Affected: >= 3.1.0, < 6.1.7.9 Affected: >= 7.0.0, < 7.0.8.5 Affected: >= 7.1.0, < 7.1.4.1 Affected: >= 7.2.0, < 7.2.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rails:rails:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rails",
            "vendor": "rails",
            "versions": [
              {
                "lessThanOrEqual": "6.1.7.9",
                "status": "affected",
                "version": "3.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "7.0.8.5",
                "status": "affected",
                "version": "7.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "7.1.4.1",
                "status": "affected",
                "version": "7.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "7.2.1.1",
                "status": "affected",
                "version": "7.2.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-41128",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T17:09:25.747178Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T17:11:51.031Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rails",
          "vendor": "rails",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.1.0, \u003c 6.1.7.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.0.8.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.1.0, \u003c 7.1.4.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.2.0, \u003c 7.2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-770",
              "description": "CWE-770: Allocation of Resources Without Limits or Throttling",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-16T18:04:42.501Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj"
        },
        {
          "name": "https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075"
        },
        {
          "name": "https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef"
        },
        {
          "name": "https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891"
        },
        {
          "name": "https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd"
        },
        {
          "name": "https://access.redhat.com/security/cve/cve-2024-41128",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://access.redhat.com/security/cve/cve-2024-41128"
        },
        {
          "name": "https://bugzilla.redhat.com/show_bug.cgi?id=2319036",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319036"
        }
      ],
      "source": {
        "advisory": "GHSA-x76w-6vjr-8xgj",
        "discovery": "UNKNOWN"
      },
      "title": "Action Dispatch has possible ReDoS vulnerability in query parameter filtering"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-41128",
    "datePublished": "2024-10-16T18:04:42.501Z",
    "dateReserved": "2024-07-15T15:53:28.323Z",
    "dateUpdated": "2024-10-17T17:11:51.031Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-41128\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-17T17:09:25.747178Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:rails:rails:*:*:*:*:*:*:*:*\"], \"vendor\": \"rails\", \"product\": \"rails\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.1.0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"6.1.7.9\"}, {\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.8.5\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.1.0\", \"lessThan\": \"7.1.4.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.2.0\", \"lessThan\": \"7.2.1.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-16T19:46:43.185Z\"}}], \"cna\": {\"title\": \"Action Dispatch has possible ReDoS vulnerability in query parameter filtering\", \"source\": {\"advisory\": \"GHSA-x76w-6vjr-8xgj\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"rails\", \"product\": \"rails\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.1.0, \u003c 6.1.7.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.0.0, \u003c 7.0.8.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.1.0, \u003c 7.1.4.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.2.0, \u003c 7.2.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj\", \"name\": \"https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075\", \"name\": \"https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef\", \"name\": \"https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891\", \"name\": \"https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd\", \"name\": \"https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://access.redhat.com/security/cve/cve-2024-41128\", \"name\": \"https://access.redhat.com/security/cve/cve-2024-41128\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2319036\", \"name\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2319036\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-16T18:04:42.501Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-41128\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-17T17:11:51.031Z\", \"dateReserved\": \"2024-07-15T15:53:28.323Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-16T18:04:42.501Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

GHSA-X76W-6VJR-8XGJ

Vulnerability from github – Published: 2024-10-15 23:35 – Updated: 2024-10-31 19:33

Summary

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch

Details

There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.

Impact

Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for the report and patches!

Severity ?

6.6 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "6.1.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41128"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-15T23:35:33Z",
    "nvd_published_at": "2024-10-16T18:15:06Z",
    "severity": "MODERATE"
  },
  "details": "There is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-41128.\n\nImpact\n------\n\nCarefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers on Ruby 3.2 are unaffected by this issue.\n\n\nCredits\n-------\n\nThanks to [scyoon](https://hackerone.com/scyoon) for the report and patches!",
  "id": "GHSA-x76w-6vjr-8xgj",
  "modified": "2024-10-31T19:33:44Z",
  "published": "2024-10-15T23:35:33Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41128"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2024-41128"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319036"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Possible ReDoS vulnerability in query parameter filtering in Action Dispatch"
}

CVE-2024-41128

Vulnerability from fstec - Published: 16.10.2024

Title

Уязвимость компонента Action Dispatch расширения Action Pack интерпретатора Ruby, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость компонента Action Dispatch расширения Action Pack интерпретатора Ruby связана с неограниченным распределением ресурсов. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

Vendor

Red Hat Inc., Сообщество свободного программного обеспечения, ООО «Ред Софт», Ruby Team

Software Name

Red Hat 3scale API Management Platform, Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Red Hat Satellite, Action Pack

Software Version

2 (Red Hat 3scale API Management Platform), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), 6 (Red Hat Satellite), от 6.0.0 до 6.1.7.9 (Action Pack), от 7.0.0 до 7.0.8.5 (Action Pack), от 7.1.0 до 7.1.4.1 (Action Pack), от 7.2.0 до 7.2.1.1 (Action Pack)

Possible Mitigations

Использование рекомендаций: Для Action Pack: https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2024-41128 Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2024-41128

Reference

https://access.redhat.com/security/cve/cve-2024-41128 https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075 https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891 https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj https://redos.red-soft.ru/support/secure/

CWE

CWE-770

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:N/C:N/I:N/A:P",
  "CVSS 3.0": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Ruby Team",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "2 (Red Hat 3scale API Management Platform), 11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 6 (Red Hat Satellite), \u043e\u0442 6.0.0 \u0434\u043e 6.1.7.9 (Action Pack), \u043e\u0442 7.0.0 \u0434\u043e 7.0.8.5 (Action Pack), \u043e\u0442 7.1.0 \u0434\u043e 7.1.4.1 (Action Pack), \u043e\u0442 7.2.0 \u0434\u043e 7.2.1.1 (Action Pack)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Action Pack:\nhttps://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2024-41128\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2024-41128",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "16.10.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "14.11.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "14.11.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-09432",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2024-41128",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat 3scale API Management Platform, Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Red Hat Satellite, Action Pack",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action Dispatch \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f Action Pack \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u043e\u0435 \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432 \u0438\u043b\u0438 \u0434\u0440\u043e\u0441\u0441\u0435\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 (CWE-770)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action Dispatch \u0440\u0430\u0441\u0448\u0438\u0440\u0435\u043d\u0438\u044f Action Pack \u0438\u043d\u0442\u0435\u0440\u043f\u0440\u0435\u0442\u0430\u0442\u043e\u0440\u0430 Ruby \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0435\u043d\u043d\u044b\u043c \u0440\u0430\u0441\u043f\u0440\u0435\u0434\u0435\u043b\u0435\u043d\u0438\u0435\u043c \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://access.redhat.com/security/cve/cve-2024-41128\nhttps://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075\nhttps://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef\nhttps://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891\nhttps://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd\nhttps://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj\nhttps://redos.red-soft.ru/support/secure/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-770",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 2,6)\n\u041d\u0438\u0437\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 3,7)"
}

FKIE_CVE-2024-41128

Vulnerability from fkie_nvd - Published: 2024-10-16 18:15 - Updated: 2024-10-18 12:53

Severity ?

6.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Summary

References

	URL	Tags
	security-advisories@github.com	https://access.redhat.com/security/cve/cve-2024-41128
	security-advisories@github.com	https://bugzilla.redhat.com/show_bug.cgi?id=2319036
	security-advisories@github.com	https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075
	security-advisories@github.com	https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef
	security-advisories@github.com	https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
	security-advisories@github.com	https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
	security-advisories@github.com	https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected."
    },
    {
      "lang": "es",
      "value": "Action Pack es un framework de trabajo para gestionar y responder a solicitudes web. A partir de la versi\u00f3n 3.1.0 y anteriores a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 y 7.2.1.1, existe una posible vulnerabilidad de ReDoS en las rutinas de filtrado de par\u00e1metros de consulta de Action Dispatch. Los par\u00e1metros de consulta cuidadosamente manipulados pueden hacer que el filtrado de par\u00e1metros de consulta tarde una cantidad inesperada de tiempo, lo que puede dar como resultado una vulnerabilidad de DoS. Todos los usuarios que ejecuten una versi\u00f3n afectada deben actualizar a la versi\u00f3n 6.1.7.9, 7.0.8.5, 7.1.4.1 o 7.2.1.1 o aplicar el parche correspondiente de inmediato. Se puede utilizar Ruby 3.2 como workaround. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rails que utilizan Ruby 3.2 o versiones m\u00e1s nuevas no se ven afectadas. Rails 8.0.0.beta1 depende de Ruby 3.2 o superior, por lo que no se ve afectado."
    }
  ],
  "id": "CVE-2024-41128",
  "lastModified": "2024-10-18T12:53:04.627",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-16T18:15:06.070",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://access.redhat.com/security/cve/cve-2024-41128"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319036"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

CERTFR-2024-AVI-0889

Vulnerability from certfr_avis - Published: 2024-10-16 - Updated: 2024-10-16

De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.2.x antérieures à 7.2.1.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.0.x antérieures à 7.0.8.5
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.1.x antérieures à 7.1.4.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions antérieures à 6.1.7.9

References

Title

Publication Time

bit-rails-2024-41128

Vulnerability from bitnami_vulndb

Published

2025-04-14 11:26

Modified

2025-05-20 10:02

Summary

Action Dispatch has possible ReDoS vulnerability in query parameter filtering

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "rails",
        "purl": "pkg:bitnami/rails"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "6.1.8"
            },
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.9"
            },
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.4"
            }
          ],
          "type": "SEMVER"
        },
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.2"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "type": "CVSS_V4"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-41128"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:ruby:*:*"
    ],
    "severity": "Medium"
  },
  "details": "Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
  "id": "BIT-rails-2024-41128",
  "modified": "2025-05-20T10:02:07.006Z",
  "published": "2025-04-14T11:26:06.343Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/cve-2024-41128"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2319036"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-41128"
    }
  ],
  "schema_version": "1.6.2",
  "summary": "Action Dispatch has possible ReDoS vulnerability in query parameter filtering"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-41128 (GCVE-0-2024-41128)

GHSA-X76W-6VJR-8XGJ

Impact

Releases

Workarounds

Credits

CVE-2024-41128

FKIE_CVE-2024-41128

CERTFR-2024-AVI-0889

Solutions

bit-rails-2024-41128

Vulnerability from bitnami_vulndb

Tags

Sightings

Nomenclature