CVE-2024-47887

Name of the Vulnerable Software and Affected Versions Action Pack versions 4.0.0 through 6.1.7.8 Action Pack versions 7.0.0 through 7.0.8.4 Action Pack versions 7.1.0 through 7.1.4.0 Action Pack versions 7.2.0 through 7.2.1.0

Description The issue is related to a ReDoS vulnerability in Action Controller's HTTP Token authentication, which can cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. This can be exploited by a remote attacker, allowing them to cause a denial of service. For applications using HTTP Token authentication via authenticate or request with http token or similar, a carefully crafted header may cause the issue.

Recommendations For Action Pack versions 4.0.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch. For Action Pack versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch. For Action Pack versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch. For Action Pack versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch. As a temporary workaround, consider using Ruby 3.2 or newer, as it has mitigations for this problem.