Published: 11/06/2021 Updated: 18/08/2021

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) prior to 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails

Debian Bug report logs - #988214 CVE-2021-22885 CVE-2021-22902 CVE-2021-22904 Package: rails; Maintainer for rails is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri, 7 May 2021 19:3 ...

A flaw was found in RubyGem Actionpack which is framework for handling and responding to web requests in Rails A possible Denial of Service vulnerability was found in the Mime type parser of Action Dispatch ...

There is a possible Denial of Service vulnerability in Action Dispatch before version 6 before 6037 and 6102 Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine ...

NVD-CWE-noinfo https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866 https://hackerone.com/reports/1138654 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214 https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2021-22902

CVE-2021-22902

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect