CVE-2024-47887

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47887
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47887.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47887
Aliases
Downstream
Related
Published
2024-10-16T20:02:34Z
Modified
2025-10-09T18:06:23.334257Z
Severity
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Action Controller has possible ReDoS vulnerability in HTTP Token authentication
Details

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
375d9a0a7fb329b0fbbd75a13e93e53a00520587
Fixed
b2fbbfbcaa3d662c68a9ee21ab6cf95eccc2b4ec
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
984c3ef2775781d47efa9f541ce570daa2434a80
Fixed
f61f4ef957f80e1668797fce8a2393f3edb7ed76
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
5b5f0da552f62e85e31e2d747d52aed2a3133f48
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
a1f6a13f691e0929d40b7e1b1e0d31aa69778128
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
375d9a0a7fb329b0fbbd75a13e93e53a00520587
Fixed
b2fbbfbcaa3d662c68a9ee21ab6cf95eccc2b4ec
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
984c3ef2775781d47efa9f541ce570daa2434a80
Fixed
f61f4ef957f80e1668797fce8a2393f3edb7ed76
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
5b5f0da552f62e85e31e2d747d52aed2a3133f48
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
a1f6a13f691e0929d40b7e1b1e0d31aa69778128

Affected versions

v7.*

v7.0.0
v7.0.1
v7.0.2
v7.0.2.1
v7.0.2.2
v7.0.2.3
v7.0.2.4
v7.0.3
v7.0.3.1
v7.0.4
v7.0.4.1
v7.0.4.2
v7.0.4.3
v7.0.5
v7.0.5.1
v7.0.6
v7.0.7
v7.0.7.1
v7.0.7.2
v7.0.8
v7.0.8.1
v7.0.8.2
v7.0.8.3
v7.0.8.4
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.3.1
v7.1.3.2
v7.1.3.3
v7.1.3.4
v7.1.4
v7.2.0
v7.2.1