PT-2021-4539 · Ruby On Rails+3 · Action Pack+3

Published

2021-05-01

Updated

2025-09-29

CVE-2021-22904

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions actionpack versions 4.0.0 through 6.1.3.1, 6.0.3.6, 5.2.4.5, 5.2.5 actionpack versions 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 are not affected

Description The issue is related to a denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticate or request with http token or authenticate with http token for request authentication. This could allow a remote attacker to cause a denial of service.

Recommendations For actionpack versions 4.0.0 through 6.1.3.1, 6.0.3.6, 5.2.4.5, 5.2.5, upgrade to version 6.1.3.2, 6.0.3.7, 5.2.4.6, or 5.2.6. As a temporary workaround, consider applying the monkey patch to the initializer:

ruby

module ActionController::HttpAuthentication::Token
 AUTHN PAIR DELIMITERS = /(?:,|;|t)/
end

Exploit

Fix

DoS

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2025_16880

ALT-PU-2021-2595

ALT-PU-2023-4268

ALT-PU-2024-7814

BDU:2021-05203

CVE-2021-22904

DLA-2655-1

DSA-4929-1

GHSA-7WJX-3G7J-8584

OESA-2021-1248

OPENSUSE-SU-2022_2108-1

OPENSUSE-SU-2024:11317-1

OPENSUSE-SU-2024:11318-1

OPENSUSE-SU-2024:11821-1

RHSA-2021:4702

SUSE-SU-2022:2108-1

SUSE-SU-2022_2108-1

Affected Products

Alt Linux

Astra Linux

Suse

Action Pack

PT-2021-4539 · Ruby On Rails+3 · Action Pack+3

CVE-2021-22904

Weakness Enumeration

Related Identifiers

Affected Products

References · 50