CVE-2023-22796

Name
CVE-2023-22796
Description
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
DEBIAN https://www.debian.org/security/2023/dsa-5372
support@hackerone.com https://security.netapp.com/advisory/ntap-20240202-0009/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:activesupport_project:activesupport:*:*:*:*:*:ruby:*:* ruby-activesupport >= 7.0.0 < 7.0.4.1
cpe:2.3:a:activesupport_project:activesupport:*:*:*:*:*:ruby:*:* ruby-activesupport >= None < 6.1.7.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
ruby-activesupport 3.17-community 7.0.4.3-r0 Jakub Jirutka <jakub@jirutka.cz> fixed