CVE-2023-22796

Name
CVE-2023-22796
Description
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:activesupport_project:activesupport:*:*:*:*:*:ruby:*:* ruby-activesupport >= 7.0.0 < 7.0.4.1
cpe:2.3:a:activesupport_project:activesupport:*:*:*:*:*:ruby:*:* ruby-activesupport >= None < 6.1.7.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
ruby-activesupport edge-community 7.0.4-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable
ruby-activesupport 3.17-community 7.0.4-r0 Jakub Jirutka <jakub@jirutka.cz> possibly vulnerable