CVE-2024-26142 — HIGH (7.5)

Q: How severe is CVE-2024-26142?

CVE-2024-26142 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-26142?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Ruby-Lang Ruby.

Vulnerability Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Rubyonrails	Rails	>= 7.1.0, < 7.1.3.1
Ruby-Lang	Ruby	< 3.2.0

Related Weaknesses (CWE)

CWE-1333

References

https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-Vendor Advisory
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272Patch
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wqVendor Advisory
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024Third Party Advisory
https://security.netapp.com/advisory/ntap-20240503-0003/Third Party Advisory
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-Vendor Advisory
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272Patch
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wqVendor Advisory
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024Third Party Advisory
https://security.netapp.com/advisory/ntap-20240503-0003/Third Party Advisory

FAQ

What is CVE-2024-26142?

CVE-2024-26142 is a vulnerability with a CVSS score of 7.5 (HIGH). Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1....

How severe is CVE-2024-26142?

CVE-2024-26142 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-26142?

Check the references section above for vendor advisories and patch information. Affected products include: Rubyonrails Rails, Ruby-Lang Ruby.