Svalkanov

**Name of the Vulnerable Software and Affected Versions** CGI gem versions prior to 0.4.2 **Description** A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method. This issue can lead to high CPU consumption due to crafted input. The vulnerability affects Ruby versions 3.1 and 3.2. **Recommendations** For CGI gem versions prior to 0.4.2, update the CGI gem to version 0.4.2 or later. As a temporary workaround, consider restricting the use of the `Util#escapeElement` method until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rails versions 7.1.0 through 7.1.3.0 **Description** There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This issue can cause Accept header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. Carefully crafted Accept headers can exploit this issue. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. **Recommendations** For versions 7.1.0 through 7.1.3.0, upgrade to version 7.1.3.1 or apply the provided patch for the 7.1 series, 7-1-accept-redox.patch. As a temporary workaround, consider restricting access to the Accept header parsing routines in Action Dispatch until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.0.9.4 Rack versions prior to 2.1.4.4 Rack versions prior to 2.2.8.1 Rack versions prior to 3.0.9.1 **Description** The issue is related to the header parsing in Rack, which can be exploited by carefully crafted headers, potentially leading to a denial of service. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. **Recommendations** To resolve the issue for Rack versions prior to 2.0.9.4, update to version 2.0.9.4 or newer. To resolve the issue for Rack versions prior to 2.1.4.4, update to version 2.1.4.4 or newer. To resolve the issue for Rack versions prior to 2.2.8.1, update to version 2.2.8.1 or newer. To resolve the issue for Rack versions prior to 3.0.9.1, update to version 3.0.9.1 or newer. As a temporary workaround, consider restricting access to the Accept and Forwarded headers until a patch is available. Patches are available for the 2.0, 2.1, 2.2, and 3.0 series in git-am format.

**Name of the Vulnerable Software and Affected Versions** date gem versions prior to 3.2.1 date gem versions prior to 3.1.2 date gem versions prior to 3.0.2 date gem versions prior to 2.0.1 **Description** The issue is related to a ReDoS (regular expression Denial of Service) vulnerability in the date gem for Ruby, which can be exploited by using a long string. This can lead to a denial of service. The vulnerability is due to the use of regular expressions internally in the date parsing methods, including `Date.parse`. Applications and libraries that apply such methods to untrusted input may be affected. **Recommendations** For date gem versions prior to 3.2.1, update to version 3.2.1 or later. For date gem versions prior to 3.1.2, update to version 3.1.2 or later. For date gem versions prior to 3.0.2, update to version 3.0.2 or later. For date gem versions prior to 2.0.1, update to version 2.0.1 or later. As a temporary workaround, consider using `Date.strptime` instead with a predefined date format, such as `Date.strptime('2001-02-20', '%Y-%m-%d')`.