CVE-2023-22795

Name of the Vulnerable Software and Affected Versions Action Dispatch versions prior to 6.1.7.1 Action Dispatch versions prior to 7.0.4.1

Description The issue is related to insufficient input validation in the Action Dispatch component of Ruby on Rails, which can lead to a denial of service (DoS) vulnerability. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking when using a version of Ruby below 3.2.0, leading to high CPU and memory usage. This can result in a possible DoS vulnerability. Users running affected releases should upgrade or use one of the workarounds immediately.

Recommendations For Action Dispatch versions prior to 6.1.7.1, upgrade to version 6.1.7.1 or apply the patch 6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch. For Action Dispatch versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or apply the patch 7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch. As a temporary workaround, consider using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.