CVE-2023-22792

Name of the Vulnerable Software and Affected Versions Action Dispatch versions prior to 6.0.6.1 Action Dispatch versions prior to 6.1.7.1 Action Dispatch versions prior to 7.0.4.1

Description A regular expression based DoS issue in Action Dispatch is related to insufficient input validation. Exploitation of this issue can allow a remote attacker to cause a denial of service. Specially crafted cookies, in combination with a specially crafted X FORWARDED HOST header, can cause the regular expression engine to enter a state of catastrophic backtracking, leading to high CPU and memory usage.

Recommendations For versions prior to 6.0.6.1, upgrade to version 6.0.6.1 or later. For versions prior to 6.1.7.1, upgrade to version 6.1.7.1 or later, or apply the patch 6-1-Use-string-split-instead-of-regex-for-domain-parts.patch. For versions prior to 7.0.4.1, upgrade to version 7.0.4.1 or later, or apply the patch 7-0-Use-string-split-instead-of-regex-for-domain-parts.patch. As a temporary workaround, consider using a load balancer or other device to filter out malicious X FORWARDED HOST headers before they reach the application.