PT-2024-7928 · Ruby On Rails+6 · Action Pack+6
Scyoon
·
Published
2024-10-15
·
Updated
2025-11-25
·
CVE-2024-41128
CVSS v4.0
6.6
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
Action Pack versions 3.1.0 through 6.1.7.8
Action Pack versions 7.0.0 through 7.0.8.4
Action Pack versions 7.1.0 through 7.1.4.0
Action Pack versions 7.2.0 through 7.2.1.0
Description
The issue is related to a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. This can be exploited by a remote attacker to cause a denial of service.
Recommendations
For Action Pack versions 3.1.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch immediately.
For Action Pack versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch immediately.
For Action Pack versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch immediately.
For Action Pack versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch immediately.
As a temporary workaround, consider using Ruby 3.2, which has mitigations for this problem.
Exploit
Fix
DoS
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Action Pack
Debian
Linuxmint
Red Os
Ruby
Ubuntu