Scyoon

**Name of the Vulnerable Software and Affected Versions** Action Pack versions 4.0.0 through 6.1.7.8 Action Pack versions 7.0.0 through 7.0.8.4 Action Pack versions 7.1.0 through 7.1.4.0 Action Pack versions 7.2.0 through 7.2.1.0 **Description** The issue is related to a ReDoS vulnerability in Action Controller's HTTP Token authentication, which can cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. This can be exploited by a remote attacker, allowing them to cause a denial of service. For applications using HTTP Token authentication via `authenticate or request with http token` or similar, a carefully crafted header may cause the issue. **Recommendations** For Action Pack versions 4.0.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch. For Action Pack versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch. For Action Pack versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch. For Action Pack versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch. As a temporary workaround, consider using Ruby 3.2 or newer, as it has mitigations for this problem.

**Name of the Vulnerable Software and Affected Versions** Action Pack versions 3.1.0 through 6.1.7.8 Action Pack versions 7.0.0 through 7.0.8.4 Action Pack versions 7.1.0 through 7.1.4.0 Action Pack versions 7.2.0 through 7.2.1.0 **Description** The issue is related to a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. This can be exploited by a remote attacker to cause a denial of service. **Recommendations** For Action Pack versions 3.1.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch immediately. For Action Pack versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch immediately. For Action Pack versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch immediately. For Action Pack versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch immediately. As a temporary workaround, consider using Ruby 3.2, which has mitigations for this problem.

**Name of the Vulnerable Software and Affected Versions** REXML gem versions prior to 3.3.3 **Description** The REXML gem has some DoS vulnerabilities when it parses an XML that has many specific characters, such as whitespace characters, `&gt;` and `]&gt;`, or `<`, `0` and `%>`. This vulnerability is related to uncontrolled resource consumption and can be exploited by a remote attacker to cause a denial of service. If you need to parse untrusted XMLs, you may be impacted by these vulnerabilities. **Recommendations** For REXML gem versions prior to 3.3.3, upgrade to version 3.3.3 or later to fix these vulnerabilities. As a temporary workaround, consider not parsing untrusted XMLs to minimize the risk of exploitation. Restricting the parsing of XMLs with many specific characters can also help mitigate the issue.