Bug 1220517 (CVE-2024-26142)

Summary: VUL-0: CVE-2024-26142: rubygem-actionpack-4_2,rubygem-actionpack-5_1: rubygem-actionpack: regular expression DoS in Accept header
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: package coldpool <coldpool>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P5 - None CC: carlos.lopez
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395326/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26142:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-28 08:47:38 UTC 
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26142
https://www.cve.org/CVERecord?id=CVE-2024-26142
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://bugzilla.redhat.com/show_bug.cgi?id=2266324
Comment 1 Carlos López 2024-02-28 08:50:10 UTC 
(In reply to SMASH SMASH from comment #0)
> https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-
> 2024-26142.yml

According to this, none of our codestreams are affected (highest version we ship is 7.0.8). I also manually checked that we use the correct regexp. Closing.