CVE-2021-22904
Summary
| CVE | CVE-2021-22904 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-06-11 16:15:00 UTC |
| Updated | 2021-09-20 13:51:00 UTC |
| Description | The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication. |
Risk And Classification
Problem Types: NVD-CWE-Other
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rubyonrails | Rails | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| [CVE-2021-22904] Possible DoS Vulnerability in Action Controller Token Authentication - Security Announcements - Ruby on Rails Discussions | MISC | discuss.rubyonrails.org | |
| June 2021 Ruby Vulnerabilities in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| HackerOne | MISC | hackerone.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178588 Debian Security Update for rails (DLA 2655-1)
- 178665 Debian Security Update for rails (DSA 4929-1)
- 180267 Debian Security Update for rails (CVE-2021-22904)
- 239895 Red Hat Update for Satellite 6.10 (RHSA-2021:4702)
- 690146 Free Berkeley Software Distribution (FreeBSD) Security Update for rails (f7a00ad7-ae75-11eb-8113-08002728f74c)
- 753313 SUSE Enterprise Linux Security Update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (SUSE-SU-2022:2108-1)