Bug 1220517 (CVE-2024-26142) - VUL-0: CVE-2024-26142: rubygem-actionpack-4_2,rubygem-actionpack-5_1: rubygem-actionpack: regular expression DoS in Accept header
Summary: VUL-0: CVE-2024-26142: rubygem-actionpack-4_2,rubygem-actionpack-5_1: rubygem...
Status: RESOLVED FIXED
Alias: CVE-2024-26142
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P5 - None : Major
Target Milestone: ---
Assignee: package coldpool
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/395326/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26142:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-28 08:47 UTC by SMASH SMASH
Modified: 2024-02-28 08:50 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-28 08:47:38 UTC 
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26142
https://www.cve.org/CVERecord?id=CVE-2024-26142
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://bugzilla.redhat.com/show_bug.cgi?id=2266324
Comment 1 Carlos López 2024-02-28 08:50:10 UTC 
(In reply to SMASH SMASH from comment #0)
> https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-
> 2024-26142.yml

According to this, none of our codestreams are affected (highest version we ship is 7.0.8). I also manually checked that we use the correct regexp. Closing.