CyberSec.Space Logo
Back to CVE Browser

CVE-2021-22902

HIGH
7.5
CVSS Severity Score
EPSS Score0.0250%
EPSS Percentile37.71th
PublishedJun 11, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Affected Platforms (CPE)

πŸ“¦
Rubyonrails

Rails

>= 6.0.0 and < 6.0.3.7
πŸ“¦
Rubyonrails

Rails

>= 6.1.0 and < 6.1.0.2

References & Advisories

πŸ”— https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
πŸ”— https://hackerone.com/reports/1138654
πŸ”— https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
πŸ”— https://hackerone.com/reports/1138654

Related Vulnerabilities

CVE-2013-027710.0

ActiveRecord in Ruby on Rails before 2.3.17 and 3.x before 3.1.0 allows remote attackers to cause a denial of service or execute a...

CVE-2012-457710.0

The Linux firmware image on (1) Korenix Jetport 5600 series serial-device servers and (2) ORing Industrial DIN-Rail serial-device ...

CVE-2019-110279.8

Ruby OpenID (aka ruby-openid) through 2.8.0 has a remotely exploitable flaw. This library is used by Rails web applications to int...

CVE-2018-184769.8

mysql-binuuid-rails 1.1.0 and earlier allows SQL Injection because it removes default string escaping for affected database column...