Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2023-22795 (GCVE-0-2023-22795)
Vulnerability from cvelistv5 – Published: 2023-02-09 00:00 – Updated: 2024-08-02 10:20
VLAI
EPSS
Summary
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Severity
No CVSS data available.
CWE
- CWE-400 - Denial of Service (CWE-400)
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | https://github.com/rails/rails |
Affected:
6.1.7.1, 7.0.4.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T10:20:30.901Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "https://github.com/rails/rails",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "6.1.7.1, 7.0.4.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "Denial of Service (CWE-400)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-02T14:06:23.429Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"name": "DSA-5372",
"tags": [
"vendor-advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2023-22795",
"datePublished": "2023-02-09T00:00:00.000Z",
"dateReserved": "2023-01-06T00:00:00.000Z",
"dateUpdated": "2024-08-02T10:20:30.901Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2023-22795",
"date": "2026-05-26",
"epss": "0.01339",
"percentile": "0.80232"
},
"fkie_nvd": {
"configurations": "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"6.1.7.1\", \"matchCriteriaId\": \"3A4B1AF3-B872-4699-9EFF-BD9B9822B5D7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"7.0.0\", \"versionEndExcluding\": \"7.0.4.1\", \"matchCriteriaId\": \"CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"3.2.0\", \"matchCriteriaId\": \"F841AE5D-60DD-4E3A-854A-9B7B906BF7E7\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.\"}]",
"id": "CVE-2023-22795",
"lastModified": "2024-11-21T07:45:26.440",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}]}",
"published": "2023-02-09T20:15:11.420",
"references": "[{\"url\": \"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118\", \"source\": \"support@hackerone.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240202-0010/\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5372\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240202-0010/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5372\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-400\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1333\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2023-22795\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2023-02-09T20:15:11.420\",\"lastModified\":\"2024-11-21T07:45:26.440\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"6.1.7.1\",\"matchCriteriaId\":\"3A4B1AF3-B872-4699-9EFF-BD9B9822B5D7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.4.1\",\"matchCriteriaId\":\"CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"3.2.0\",\"matchCriteriaId\":\"F841AE5D-60DD-4E3A-854A-9B7B906BF7E7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240202-0010/\",\"source\":\"support@hackerone.com\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5372\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240202-0010/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.debian.org/security/2023/dsa-5372\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
CERTFR-2024-AVI-0514
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Watson Explorer | Watson Explorer DAE Foundational Components versions 11.0.x antérieures à 11.0.2 Fix Pack 19 | ||
| IBM | Db2 | Db2 on Cloud Pak for Data versions antérieures à v5.0 | ||
| IBM | Storage Protect | Storage Protect for Virtual Environments: Data Protection pour Hyper-V et VMware versions 8.1.x antérieures à 8.1.23.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.3.x antérieures à 6.3.0.3_iFix004 | ||
| IBM | Watson Explorer | Watson Explorer DAE Analytical Components versions 11.0.x antérieures à 11.0.2 Fix Pack 19 | ||
| IBM | Watson Explorer | Watson Explorer DAE Foundational Components versions 12.0.x antérieures à 12.0.3.15 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.1.x antérieures à 6.1.0.2_iFix087 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.0.x antérieures à 6.0.0.4_iFix088 | ||
| IBM | Watson Explorer | Watson Explorer DAE Analytical Components versions 12.0.x antérieures à 12.0.3.15 | ||
| IBM | Db2 | Db2 Warehouse on Cloud Pak for Data versions antérieures à v5.0 | ||
| IBM | QRadar | QRadar Suite Software versions 1.10.x antérieures à 1.10.22.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.2.x antérieures à 6.2.0.6_iFix020 | ||
| IBM | Cloud Pak | Cloud Pak for Security versions 1.10.x antérieures à 1.10.22.0 | ||
| IBM | Storage Protect | Storage Protect Backup-Archive Client versions 8.1.x antérieures à 8.1.23.0 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Watson Explorer DAE Foundational Components versions 11.0.x ant\u00e9rieures \u00e0 11.0.2 Fix Pack 19",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 on Cloud Pak for Data versions ant\u00e9rieures \u00e0 v5.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect for Virtual Environments: Data Protection pour Hyper-V et VMware versions 8.1.x ant\u00e9rieures \u00e0 8.1.23.0",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.3_iFix004",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Analytical Components versions 11.0.x ant\u00e9rieures \u00e0 11.0.2 Fix Pack 19",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Foundational Components versions 12.0.x ant\u00e9rieures \u00e0 12.0.3.15",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.2_iFix087",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.0.x ant\u00e9rieures \u00e0 6.0.0.4_iFix088",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Analytical Components versions 12.0.x ant\u00e9rieures \u00e0 12.0.3.15",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 v5.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.x ant\u00e9rieures \u00e0 1.10.22.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.6_iFix020",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak for Security versions 1.10.x ant\u00e9rieures \u00e0 1.10.22.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect Backup-Archive Client versions 8.1.x ant\u00e9rieures \u00e0 8.1.23.0",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2020-2803",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2803"
},
{
"name": "CVE-2024-29041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29041"
},
{
"name": "CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"name": "CVE-2021-2163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2163"
},
{
"name": "CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"name": "CVE-2024-3772",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3772"
},
{
"name": "CVE-2021-2161",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2161"
},
{
"name": "CVE-2023-3817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3817"
},
{
"name": "CVE-2024-34351",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34351"
},
{
"name": "CVE-2022-21299",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21299"
},
{
"name": "CVE-2020-2773",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2773"
},
{
"name": "CVE-2020-2805",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2805"
},
{
"name": "CVE-2020-2830",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2830"
},
{
"name": "CVE-2020-2781",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2781"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2022-21305",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21305"
},
{
"name": "CVE-2024-22243",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22243"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2024-24557",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24557"
},
{
"name": "CVE-2023-22795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22795"
},
{
"name": "CVE-2024-23082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23082"
},
{
"name": "CVE-2024-25026",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2024-28180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
},
{
"name": "CVE-2024-22262",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
},
{
"name": "CVE-2021-32052",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32052"
},
{
"name": "CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2023-3978",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3978"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2024-22329",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22329"
},
{
"name": "CVE-2020-2659",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2659"
},
{
"name": "CVE-2024-30251",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30251"
},
{
"name": "CVE-2024-27306",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27306"
},
{
"name": "CVE-2024-23807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23807"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2022-21365",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21365"
},
{
"name": "CVE-2022-21294",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21294"
},
{
"name": "CVE-2024-27289",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27289"
},
{
"name": "CVE-2024-38329",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38329"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21341"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2020-2604",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2604"
},
{
"name": "CVE-2022-21340",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21340"
},
{
"name": "CVE-2024-23081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23081"
},
{
"name": "CVE-2022-21293",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21293"
},
{
"name": "CVE-2020-2800",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2800"
},
{
"name": "CVE-2022-21282",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21282"
},
{
"name": "CVE-2022-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21349"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2021-20264",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20264"
},
{
"name": "CVE-2022-21248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21248"
},
{
"name": "CVE-2024-29180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29180"
},
{
"name": "CVE-2024-22259",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
},
{
"name": "CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"name": "CVE-2023-47726",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47726"
},
{
"name": "CVE-2020-2757",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2757"
},
{
"name": "CVE-2023-42282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42282"
},
{
"name": "CVE-2023-39325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"name": "CVE-2024-1681",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1681"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2024-24786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2020-2756",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2756"
},
{
"name": "CVE-2022-21476",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21476"
},
{
"name": "CVE-2022-21541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21541"
},
{
"name": "CVE-2022-21360",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21360"
},
{
"name": "CVE-2022-21296",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21296"
},
{
"name": "CVE-2022-21540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21540"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0514",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-06-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-06-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7158042",
"url": "https://www.ibm.com/support/pages/node/7158042"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157662",
"url": "https://www.ibm.com/support/pages/node/7157662"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157750",
"url": "https://www.ibm.com/support/pages/node/7157750"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157924",
"url": "https://www.ibm.com/support/pages/node/7157924"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157753",
"url": "https://www.ibm.com/support/pages/node/7157753"
},
{
"published_at": "2024-06-20",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157847",
"url": "https://www.ibm.com/support/pages/node/7157847"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157927",
"url": "https://www.ibm.com/support/pages/node/7157927"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157929",
"url": "https://www.ibm.com/support/pages/node/7157929"
}
]
}
CERTFR-2024-AVI-0514
Vulnerability from certfr_avis - Published: - Updated:
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Watson Explorer | Watson Explorer DAE Foundational Components versions 11.0.x antérieures à 11.0.2 Fix Pack 19 | ||
| IBM | Db2 | Db2 on Cloud Pak for Data versions antérieures à v5.0 | ||
| IBM | Storage Protect | Storage Protect for Virtual Environments: Data Protection pour Hyper-V et VMware versions 8.1.x antérieures à 8.1.23.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.3.x antérieures à 6.3.0.3_iFix004 | ||
| IBM | Watson Explorer | Watson Explorer DAE Analytical Components versions 11.0.x antérieures à 11.0.2 Fix Pack 19 | ||
| IBM | Watson Explorer | Watson Explorer DAE Foundational Components versions 12.0.x antérieures à 12.0.3.15 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.1.x antérieures à 6.1.0.2_iFix087 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.0.x antérieures à 6.0.0.4_iFix088 | ||
| IBM | Watson Explorer | Watson Explorer DAE Analytical Components versions 12.0.x antérieures à 12.0.3.15 | ||
| IBM | Db2 | Db2 Warehouse on Cloud Pak for Data versions antérieures à v5.0 | ||
| IBM | QRadar | QRadar Suite Software versions 1.10.x antérieures à 1.10.22.0 | ||
| IBM | Sterling Connect:Direct | Sterling Connect:Direct pour Microsoft Windows versions 6.2.x antérieures à 6.2.0.6_iFix020 | ||
| IBM | Cloud Pak | Cloud Pak for Security versions 1.10.x antérieures à 1.10.22.0 | ||
| IBM | Storage Protect | Storage Protect Backup-Archive Client versions 8.1.x antérieures à 8.1.23.0 |
References
| Title | Publication Time | Tags | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Watson Explorer DAE Foundational Components versions 11.0.x ant\u00e9rieures \u00e0 11.0.2 Fix Pack 19",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 on Cloud Pak for Data versions ant\u00e9rieures \u00e0 v5.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect for Virtual Environments: Data Protection pour Hyper-V et VMware versions 8.1.x ant\u00e9rieures \u00e0 8.1.23.0",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.3.x ant\u00e9rieures \u00e0 6.3.0.3_iFix004",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Analytical Components versions 11.0.x ant\u00e9rieures \u00e0 11.0.2 Fix Pack 19",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Foundational Components versions 12.0.x ant\u00e9rieures \u00e0 12.0.3.15",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.1.x ant\u00e9rieures \u00e0 6.1.0.2_iFix087",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.0.x ant\u00e9rieures \u00e0 6.0.0.4_iFix088",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Watson Explorer DAE Analytical Components versions 12.0.x ant\u00e9rieures \u00e0 12.0.3.15",
"product": {
"name": "Watson Explorer",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Db2 Warehouse on Cloud Pak for Data versions ant\u00e9rieures \u00e0 v5.0",
"product": {
"name": "Db2",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions 1.10.x ant\u00e9rieures \u00e0 1.10.22.0",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Connect:Direct pour Microsoft Windows versions 6.2.x ant\u00e9rieures \u00e0 6.2.0.6_iFix020",
"product": {
"name": "Sterling Connect:Direct",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak for Security versions 1.10.x ant\u00e9rieures \u00e0 1.10.22.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Storage Protect Backup-Archive Client versions 8.1.x ant\u00e9rieures \u00e0 8.1.23.0",
"product": {
"name": "Storage Protect",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2020-2803",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2803"
},
{
"name": "CVE-2024-29041",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29041"
},
{
"name": "CVE-2024-28849",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
},
{
"name": "CVE-2021-2163",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2163"
},
{
"name": "CVE-2023-45288",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-45288"
},
{
"name": "CVE-2024-3772",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-3772"
},
{
"name": "CVE-2021-2161",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-2161"
},
{
"name": "CVE-2023-3817",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3817"
},
{
"name": "CVE-2024-34351",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34351"
},
{
"name": "CVE-2022-21299",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21299"
},
{
"name": "CVE-2020-2773",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2773"
},
{
"name": "CVE-2020-2805",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2805"
},
{
"name": "CVE-2020-2830",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2830"
},
{
"name": "CVE-2020-2781",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2781"
},
{
"name": "CVE-2023-28322",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28322"
},
{
"name": "CVE-2022-21305",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21305"
},
{
"name": "CVE-2024-22243",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22243"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2023-5363",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5363"
},
{
"name": "CVE-2024-24557",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24557"
},
{
"name": "CVE-2023-22795",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-22795"
},
{
"name": "CVE-2024-23082",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23082"
},
{
"name": "CVE-2024-25026",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25026"
},
{
"name": "CVE-2020-8565",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8565"
},
{
"name": "CVE-2024-28180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28180"
},
{
"name": "CVE-2024-22262",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22262"
},
{
"name": "CVE-2021-32052",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-32052"
},
{
"name": "CVE-2024-30172",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30172"
},
{
"name": "CVE-2023-35116",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-35116"
},
{
"name": "CVE-2024-23672",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23672"
},
{
"name": "CVE-2023-3978",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3978"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2024-22329",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22329"
},
{
"name": "CVE-2020-2659",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2659"
},
{
"name": "CVE-2024-30251",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30251"
},
{
"name": "CVE-2024-27306",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27306"
},
{
"name": "CVE-2024-23807",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23807"
},
{
"name": "CVE-2023-28321",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-28321"
},
{
"name": "CVE-2019-11250",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11250"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2022-21365",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21365"
},
{
"name": "CVE-2022-21294",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21294"
},
{
"name": "CVE-2024-27289",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-27289"
},
{
"name": "CVE-2024-38329",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-38329"
},
{
"name": "CVE-2022-34169",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-34169"
},
{
"name": "CVE-2022-21341",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21341"
},
{
"name": "CVE-2024-24549",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24549"
},
{
"name": "CVE-2020-2604",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2604"
},
{
"name": "CVE-2022-21340",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21340"
},
{
"name": "CVE-2024-23081",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23081"
},
{
"name": "CVE-2022-21293",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21293"
},
{
"name": "CVE-2020-2800",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2800"
},
{
"name": "CVE-2022-21282",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21282"
},
{
"name": "CVE-2022-21349",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21349"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2021-20264",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20264"
},
{
"name": "CVE-2022-21248",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21248"
},
{
"name": "CVE-2024-29180",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29180"
},
{
"name": "CVE-2024-22259",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22259"
},
{
"name": "CVE-2024-22257",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22257"
},
{
"name": "CVE-2023-47726",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-47726"
},
{
"name": "CVE-2020-2757",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2757"
},
{
"name": "CVE-2023-42282",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42282"
},
{
"name": "CVE-2023-39325",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39325"
},
{
"name": "CVE-2024-1681",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-1681"
},
{
"name": "CVE-2023-3446",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-3446"
},
{
"name": "CVE-2024-24786",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-24786"
},
{
"name": "CVE-2024-22354",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-22354"
},
{
"name": "CVE-2020-2756",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-2756"
},
{
"name": "CVE-2022-21476",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21476"
},
{
"name": "CVE-2022-21541",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21541"
},
{
"name": "CVE-2022-21360",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21360"
},
{
"name": "CVE-2022-21296",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21296"
},
{
"name": "CVE-2022-21540",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-21540"
},
{
"name": "CVE-2023-38545",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-38545"
}
],
"links": [],
"reference": "CERTFR-2024-AVI-0514",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2024-06-21T00:00:00.000000"
}
],
"risks": [
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
},
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Injection de requ\u00eates ill\u00e9gitimes par rebond (CSRF)"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2024-06-19",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7158042",
"url": "https://www.ibm.com/support/pages/node/7158042"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157662",
"url": "https://www.ibm.com/support/pages/node/7157662"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157750",
"url": "https://www.ibm.com/support/pages/node/7157750"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157924",
"url": "https://www.ibm.com/support/pages/node/7157924"
},
{
"published_at": "2024-06-17",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157753",
"url": "https://www.ibm.com/support/pages/node/7157753"
},
{
"published_at": "2024-06-20",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157847",
"url": "https://www.ibm.com/support/pages/node/7157847"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157927",
"url": "https://www.ibm.com/support/pages/node/7157927"
},
{
"published_at": "2024-06-18",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7157929",
"url": "https://www.ibm.com/support/pages/node/7157929"
}
]
}
BDU:2025-01401
Vulnerability from fstec - Published: 09.02.2023
VLAI
Title
Уязвимость компонента Action Dispatch программной платформы Ruby on Rails, позволяющая нарушителю вызвать отказ в обслуживании
Description
Уязвимость компонента Action Dispatch программной платформы Ruby on Rails связана с недостаточной проверкой вводимых пользователем данных. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, вызвать отказ в обслуживании
Severity
Vendor
Сообщество свободного программного обеспечения, ООО «Ред Софт», Rails Core Team, Red Hat Inc.
Software Name
Debian GNU/Linux, РЕД ОС (запись в едином реестре российских программ №3751), Ruby on Rails, Red Hat Satellite
Software Version
11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (РЕД ОС), от 7.0.0 до 7.0.4.1 (Ruby on Rails), 6.14 for RHEL 8 (Red Hat Satellite), до 6.1.7.1 (Ruby on Rails)
Possible Mitigations
В условиях отсутствия обновлений безопасности от производителя рекомендуется придерживаться "Рекомендаций по безопасной настройке операционных систем LINUX", изложенных в методическом документе ФСТЭК России, утверждённом 25 декабря 2022 года.
Использование рекомендаций:
Для Ruby on Rails:
https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
Для РедоС:
http://repo.red-soft.ru/redos/7.3c/x86_64/updates/
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2023-22795
Для Debian GNU/Linux:
https://security-tracker.debian.org/tracker/CVE-2023-22795
Reference
https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
https://redos.red-soft.ru/support/secure/
https://access.redhat.com/security/cve/cve-2023-22795
https://security-tracker.debian.org/tracker/CVE-2023-22795
CWE
CWE-20
{
"CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, Rails Core Team, Red Hat Inc.",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "11 (Debian GNU/Linux), 12 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), \u043e\u0442 7.0.0 \u0434\u043e 7.0.4.1 (Ruby on Rails), 6.14 for RHEL 8 (Red Hat Satellite), \u0434\u043e 6.1.7.1 (Ruby on Rails)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0412 \u0443\u0441\u043b\u043e\u0432\u0438\u044f\u0445 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u044f \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0439 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u043e\u0442 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u0438\u0434\u0435\u0440\u0436\u0438\u0432\u0430\u0442\u044c\u0441\u044f \"\u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u043e \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0439 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0435 \u043e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c LINUX\", \u0438\u0437\u043b\u043e\u0436\u0435\u043d\u043d\u044b\u0445 \u0432 \u043c\u0435\u0442\u043e\u0434\u0438\u0447\u0435\u0441\u043a\u043e\u043c \u0434\u043e\u043a\u0443\u043c\u0435\u043d\u0442\u0435 \u0424\u0421\u0422\u042d\u041a \u0420\u043e\u0441\u0441\u0438\u0438, \u0443\u0442\u0432\u0435\u0440\u0436\u0434\u0451\u043d\u043d\u043e\u043c 25 \u0434\u0435\u043a\u0430\u0431\u0440\u044f 2022 \u0433\u043e\u0434\u0430.\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Ruby on Rails:\nhttps://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u043e\u0421: \nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2023-22795\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2023-22795",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "09.02.2023",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "12.02.2025",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "12.02.2025",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2025-01401",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-22795",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Ruby on Rails, Red Hat Satellite",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 12 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751)",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action Dispatch \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action Dispatch \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0445. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118\nhttps://redos.red-soft.ru/support/secure/\nhttps://access.redhat.com/security/cve/cve-2023-22795\nhttps://security-tracker.debian.org/tracker/CVE-2023-22795",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}
FKIE_CVE-2023-22795
Vulnerability from fkie_nvd - Published: 2023-02-09 20:15 - Updated: 2024-11-21 07:45
Severity
Summary
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| rubyonrails | rails | * | |
| rubyonrails | rails | * | |
| ruby-lang | ruby | * | |
| debian | debian_linux | 11.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A4B1AF3-B872-4699-9EFF-BD9B9822B5D7",
"versionEndExcluding": "6.1.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A",
"versionEndExcluding": "7.0.4.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F841AE5D-60DD-4E3A-854A-9B7B906BF7E7",
"versionEndExcluding": "3.2.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"id": "CVE-2023-22795",
"lastModified": "2024-11-21T07:45:26.440",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-09T20:15:11.420",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"source": "support@hackerone.com",
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-8XWW-X3G3-6JCV
Vulnerability from github – Published: 2023-01-18 18:20 – Updated: 2025-03-31 13:23
VLAI
Summary
ReDoS based DoS vulnerability in Action Dispatch
Details
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.
Versions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
Impact
A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. Releases
The FIXED releases are available at the normal locations. Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability. Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series
7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series
Please note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.beta1"
},
{
"fixed": "6.1.7.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "7.0.0"
},
{
"fixed": "7.0.4.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-22795"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-01-18T18:20:51Z",
"nvd_published_at": "2023-02-09T20:15:00Z",
"severity": "LOW"
},
"details": "There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795.\n\nVersions Affected: All Not affected: None Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\nImpact\n\nA specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.\nReleases\n\nThe FIXED releases are available at the normal locations.\nWorkarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the meantime, users can mitigate this vulnerability by using a load balancer or other device to filter out malicious If-None-Match headers before they reach the application.\n\nUsers on Ruby 3.2.0 or greater are not affected by this vulnerability.\nPatches\n\nTo aid users who aren\u2019t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n 6-1-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 6.1 series\n 7-0-Avoid-regex-backtracking-on-If-None-Match-header.patch - Patch for 7.0 series\n\nPlease note that only the 7.0.Z and 6.1.Z series are supported at present, and 6.0.Z for severe vulnerabilities. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.",
"id": "GHSA-8xww-x3g3-6jcv",
"modified": "2025-03-31T13:23:06Z",
"published": "2023-01-18T18:20:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22795"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"
},
{
"type": "WEB",
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v6.1.7.1"
},
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"
},
{
"type": "WEB",
"url": "https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "ReDoS based DoS vulnerability in Action Dispatch"
}
GSD-2023-22795
Vulnerability from gsd - Updated: 2023-01-18 00:00Details
There is a possible regular expression based DoS vulnerability in Action
Dispatch related to the If-None-Match header. This vulnerability has been
assigned the CVE identifier CVE-2023-22795.
Versions Affected: All
Not affected: None
Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1
# Impact
A specially crafted HTTP If-None-Match header can cause the regular
expression engine to enter a state of catastrophic backtracking, when on a
version of Ruby below 3.2.0. This can cause the process to use large amounts
of CPU and memory, leading to a possible DoS vulnerability All users running
an affected release should either upgrade or use one of the workarounds
immediately.
# Workarounds
We recommend that all users upgrade to one of the FIXED versions. In the
meantime, users can mitigate this vulnerability by using a load balancer or
other device to filter out malicious If-None-Match headers before they reach
the application.
Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2023-22795",
"id": "GSD-2023-22795",
"references": [
"https://www.suse.com/security/cve/CVE-2023-22795.html",
"https://www.debian.org/security/2023/dsa-5372"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2023-22795",
"GHSA-8xww-x3g3-6jcv"
],
"details": "There is a possible regular expression based DoS vulnerability in Action\nDispatch related to the If-None-Match header. This vulnerability has been\nassigned the CVE identifier CVE-2023-22795.\n\nVersions Affected: All\nNot affected: None\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nA specially crafted HTTP If-None-Match header can cause the regular\nexpression engine to enter a state of catastrophic backtracking, when on a\nversion of Ruby below 3.2.0. This can cause the process to use large amounts\nof CPU and memory, leading to a possible DoS vulnerability All users running\nan affected release should either upgrade or use one of the workarounds\nimmediately.\n\n# Workarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the\nmeantime, users can mitigate this vulnerability by using a load balancer or\nother device to filter out malicious If-None-Match headers before they reach\nthe application.\n\nUsers on Ruby 3.2.0 or greater are not affected by this vulnerability.",
"id": "GSD-2023-22795",
"modified": "2023-01-18T00:00:00.000Z",
"published": "2023-01-18T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
}
],
"schema_version": "1.4.0",
"summary": "ReDoS based DoS vulnerability in Action Dispatch"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2023-22795",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/rails/rails",
"version": {
"version_data": [
{
"version_value": "6.1.7.1, 7.0.4.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118",
"refsource": "MISC",
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"name": "DSA-5372",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2023/dsa-5372"
},
{
"name": "https://security.netapp.com/advisory/ntap-20240202-0010/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2023-22795",
"date": "2023-01-18",
"description": "There is a possible regular expression based DoS vulnerability in Action\nDispatch related to the If-None-Match header. This vulnerability has been\nassigned the CVE identifier CVE-2023-22795.\n\nVersions Affected: All\nNot affected: None\nFixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1\n\n# Impact\n\nA specially crafted HTTP If-None-Match header can cause the regular\nexpression engine to enter a state of catastrophic backtracking, when on a\nversion of Ruby below 3.2.0. This can cause the process to use large amounts\nof CPU and memory, leading to a possible DoS vulnerability All users running\nan affected release should either upgrade or use one of the workarounds\nimmediately.\n\n# Workarounds\n\nWe recommend that all users upgrade to one of the FIXED versions. In the\nmeantime, users can mitigate this vulnerability by using a load balancer or\nother device to filter out malicious If-None-Match headers before they reach\nthe application.\n\nUsers on Ruby 3.2.0 or greater are not affected by this vulnerability.",
"gem": "actionpack",
"ghsa": "8xww-x3g3-6jcv",
"patched_versions": [
"~\u003e 5.2.8, \u003e= 5.2.8.15",
"~\u003e 6.1.7, \u003e= 6.1.7.1",
"\u003e= 7.0.4.1"
],
"title": "ReDoS based DoS vulnerability in Action Dispatch",
"url": "https://github.com/rails/rails/releases/tag/v7.0.4.1"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c6.1.7.1||\u003e=7.0.0 \u003c7.0.4.1",
"affected_versions": "All versions before 6.1.7.1, all versions starting from 7.0.0 before 7.0.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-1333",
"CWE-937"
],
"date": "2023-03-28",
"description": "There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"fixed_versions": [
"6.1.7.1",
"7.0.4.1"
],
"identifier": "GMS-2023-56",
"identifiers": [
"CVE-2023-22795",
"GHSA-8xww-x3g3-6jcv",
"GMS-2023-56"
],
"not_impacted": "All versions starting from 6.1.7.1 before 7.0.0, all versions starting from 7.0.4.1",
"package_slug": "gem/actionpack",
"pubdate": "2023-02-09",
"solution": "Upgrade to versions 6.1.7.1, 7.0.4.1 or above.",
"title": "ReDoS based DoS vulnerability in Action Dispatch",
"urls": [
"https://github.com/rails/rails/releases/tag/v7.0.4.1",
"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"
],
"uuid": "28e35361-0e15-4f89-903e-9769326ab222"
},
{
"affected_range": "\u003c6.1.7.1||\u003e=7.0.0 \u003c7.0.4.1",
"affected_versions": "All versions before 6.1.7.1, all versions starting from 7.0.0 before 7.0.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-1333",
"CWE-937"
],
"date": "2023-04-27",
"description": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"fixed_versions": [
"6.1.7.1",
"7.0.4.1"
],
"identifier": "CVE-2023-22795",
"identifiers": [
"CVE-2023-22795"
],
"not_impacted": "All versions starting from 6.1.7.1 before 7.0.0, all versions starting from 7.0.4.1",
"package_slug": "gem/rails",
"pubdate": "2023-02-09",
"solution": "Upgrade to versions 6.1.7.1, 7.0.4.1 or above.",
"title": "Inefficient Regular Expression Complexity",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2023-22795",
"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
],
"uuid": "996eca5b-8425-49eb-b181-66b61f6a13e1"
}
]
},
"nvd.nist.gov": {
"cve": {
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "3A4B1AF3-B872-4699-9EFF-BD9B9822B5D7",
"versionEndExcluding": "6.1.7.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"matchCriteriaId": "CDA4E147-AAD7-4EA9-BB6B-8358610FEE9A",
"versionEndExcluding": "7.0.4.1",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F841AE5D-60DD-4E3A-854A-9B7B906BF7E7",
"versionEndExcluding": "3.2.0",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
],
"id": "CVE-2023-22795",
"lastModified": "2024-02-02T14:15:53.343",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2023-02-09T20:15:11.420",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"
},
{
"source": "support@hackerone.com",
"url": "https://security.netapp.com/advisory/ntap-20240202-0010/"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2023/dsa-5372"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
}
]
}
}
}
}
MSRC_CVE-2023-22795
Vulnerability from csaf_microsoft - Published: 2023-02-01 00:00 - Updated: 2023-05-25 00:00Summary
A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
7.5 (High)
Affected products
Fixed
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 17970-16820 | — | ||
| Unresolved product id: 17971-17086 | — |
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2023/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2023-22795 A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-22795.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"tracking": {
"current_release_date": "2023-05-25T00:00:00.000Z",
"generator": {
"date": "2025-10-20T00:15:36.632Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2023-22795",
"initial_release_date": "2023-02-01T00:00:00.000Z",
"revision_history": [
{
"date": "2023-02-18T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
},
{
"date": "2023-05-25T00:00:00.000Z",
"legacy_version": "1.1",
"number": "2",
"summary": "Information published."
}
],
"status": "final",
"version": "2"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0",
"product_id": "16820"
}
},
{
"category": "product_version",
"name": "2.0",
"product": {
"name": "CBL Mariner 2.0",
"product_id": "17086"
}
}
],
"category": "product_name",
"name": "Azure Linux"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003ccm1 ruby 2.6.10-1",
"product": {
"name": "\u003ccm1 ruby 2.6.10-1",
"product_id": "2"
}
},
{
"category": "product_version",
"name": "cm1 ruby 2.6.10-1",
"product": {
"name": "cm1 ruby 2.6.10-1",
"product_id": "17970"
}
},
{
"category": "product_version_range",
"name": "\u003ccbl2 ruby 3.1.4-1",
"product": {
"name": "\u003ccbl2 ruby 3.1.4-1",
"product_id": "1"
}
},
{
"category": "product_version",
"name": "cbl2 ruby 3.1.4-1",
"product": {
"name": "cbl2 ruby 3.1.4-1",
"product_id": "17971"
}
}
],
"category": "product_name",
"name": "ruby"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccm1 ruby 2.6.10-1 as a component of CBL Mariner 1.0",
"product_id": "16820-2"
},
"product_reference": "2",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cm1 ruby 2.6.10-1 as a component of CBL Mariner 1.0",
"product_id": "17970-16820"
},
"product_reference": "17970",
"relates_to_product_reference": "16820"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003ccbl2 ruby 3.1.4-1 as a component of CBL Mariner 2.0",
"product_id": "17086-1"
},
"product_reference": "1",
"relates_to_product_reference": "17086"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cbl2 ruby 3.1.4-1 as a component of CBL Mariner 2.0",
"product_id": "17971-17086"
},
"product_reference": "17971",
"relates_to_product_reference": "17086"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22795",
"cwe": {
"id": "CWE-1333",
"name": "Inefficient Regular Expression Complexity"
},
"notes": [
{
"category": "general",
"text": "hackerone",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"17970-16820",
"17971-17086"
],
"known_affected": [
"16820-2",
"17086-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2023-22795 A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2023/msrc_cve-2023-22795.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2023-02-18T00:00:00.000Z",
"details": "2.6.10-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"16820-2"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
},
{
"category": "vendor_fix",
"date": "2023-02-18T00:00:00.000Z",
"details": "3.1.4-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"17086-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"temporalScore": 7.5,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"16820-2",
"17086-1"
]
}
],
"title": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately."
}
]
}
OPENSUSE-SU-2024:12765-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-12765
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-12765",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12765-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22792 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22792/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22795/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22797 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22797/"
}
],
"title": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:12765-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x"
}
},
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"product_id": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"product": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"product_id": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
},
"product_reference": "ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2023-22792",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22792"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.0.6.1,\u003c 6.1.7.1, and \u003c7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22792",
"url": "https://www.suse.com/security/cve/CVE-2023-22792"
},
{
"category": "external",
"summary": "SUSE Bug 1207455 for CVE-2023-22792",
"url": "https://bugzilla.suse.com/1207455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22792"
},
{
"cve": "CVE-2023-22795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22795"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22795",
"url": "https://www.suse.com/security/cve/CVE-2023-22795"
},
{
"category": "external",
"summary": "SUSE Bug 1207451 for CVE-2023-22795",
"url": "https://bugzilla.suse.com/1207451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22795"
},
{
"cve": "CVE-2023-22797",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22797"
}
],
"notes": [
{
"category": "general",
"text": "An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22797",
"url": "https://www.suse.com/security/cve/CVE-2023-22797"
},
{
"category": "external",
"summary": "SUSE Bug 1207449 for CVE-2023-22797",
"url": "https://bugzilla.suse.com/1207449"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-actionpack-7.0-7.0.4.1-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-22797"
}
]
}
OPENSUSE-SU-2024:14067-1
Vulnerability from csaf_opensuse - Published: 2024-06-24 00:00 - Updated: 2024-06-24 00:00Summary
ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media
Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2024-14067
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14067",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14067-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23633 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23633/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22792 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22792/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22795/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22797 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22797/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-26143 page",
"url": "https://www.suse.com/security/cve/CVE-2024-26143/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-28103 page",
"url": "https://www.suse.com/security/cve/CVE-2024-28103/"
}
],
"title": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-24T00:00:00Z",
"generator": {
"date": "2024-06-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14067-1",
"initial_release_date": "2024-06-24T00:00:00Z",
"revision_history": [
{
"date": "2024-06-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64",
"product": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64",
"product_id": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
},
"product_reference": "ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23633"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23633",
"url": "https://www.suse.com/security/cve/CVE-2022-23633"
},
{
"category": "external",
"summary": "SUSE Bug 1196182 for CVE-2022-23633",
"url": "https://bugzilla.suse.com/1196182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23633"
},
{
"cve": "CVE-2023-22792",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22792"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.0.6.1,\u003c 6.1.7.1, and \u003c7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22792",
"url": "https://www.suse.com/security/cve/CVE-2023-22792"
},
{
"category": "external",
"summary": "SUSE Bug 1207455 for CVE-2023-22792",
"url": "https://bugzilla.suse.com/1207455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22792"
},
{
"cve": "CVE-2023-22795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22795"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22795",
"url": "https://www.suse.com/security/cve/CVE-2023-22795"
},
{
"category": "external",
"summary": "SUSE Bug 1207451 for CVE-2023-22795",
"url": "https://bugzilla.suse.com/1207451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22795"
},
{
"cve": "CVE-2023-22797",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22797"
}
],
"notes": [
{
"category": "general",
"text": "An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22797",
"url": "https://www.suse.com/security/cve/CVE-2023-22797"
},
{
"category": "external",
"summary": "SUSE Bug 1207449 for CVE-2023-22797",
"url": "https://bugzilla.suse.com/1207449"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-22797"
},
{
"cve": "CVE-2024-26143",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-26143"
}
],
"notes": [
{
"category": "general",
"text": "Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-26143",
"url": "https://www.suse.com/security/cve/CVE-2024-26143"
},
{
"category": "external",
"summary": "SUSE Bug 1220522 for CVE-2024-26143",
"url": "https://bugzilla.suse.com/1220522"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-26143"
},
{
"cve": "CVE-2024-28103",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-28103"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-28103",
"url": "https://www.suse.com/security/cve/CVE-2024-28103"
},
{
"category": "external",
"summary": "SUSE Bug 1225996 for CVE-2024-28103",
"url": "https://bugzilla.suse.com/1225996"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-actionpack-7.0-7.0.8.4-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-28103"
}
]
}
OPENSUSE-SU-2025:15110-1
Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00Summary
ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3 on GA media
Severity
Moderate
Notes
Title of the patch: ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3 on GA media
Description of the patch: These are all security issues fixed in the ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2025-15110
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
7.5 (High)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.4 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
5.9 (Medium)
Affected products
Recommended
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
References
26 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15110",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15110-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2022-23633 page",
"url": "https://www.suse.com/security/cve/CVE-2022-23633/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22792 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22792/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22795 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22795/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2023-22797 page",
"url": "https://www.suse.com/security/cve/CVE-2023-22797/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-26143 page",
"url": "https://www.suse.com/security/cve/CVE-2024-26143/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-28103 page",
"url": "https://www.suse.com/security/cve/CVE-2024-28103/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-41128 page",
"url": "https://www.suse.com/security/cve/CVE-2024-41128/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2024-47887 page",
"url": "https://www.suse.com/security/cve/CVE-2024-47887/"
}
],
"title": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3 on GA media",
"tracking": {
"current_release_date": "2025-05-17T00:00:00Z",
"generator": {
"date": "2025-05-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15110-1",
"initial_release_date": "2025-05-17T00:00:00Z",
"revision_history": [
{
"date": "2025-05-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"product": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"product_id": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"product": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"product_id": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"product": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"product_id": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64",
"product": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64",
"product_id": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64"
},
"product_reference": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le"
},
"product_reference": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x"
},
"product_reference": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
},
"product_reference": "ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-23633",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2022-23633"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2022-23633",
"url": "https://www.suse.com/security/cve/CVE-2022-23633"
},
{
"category": "external",
"summary": "SUSE Bug 1196182 for CVE-2022-23633",
"url": "https://bugzilla.suse.com/1196182"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2022-23633"
},
{
"cve": "CVE-2023-22792",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22792"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.0.6.1,\u003c 6.1.7.1, and \u003c7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22792",
"url": "https://www.suse.com/security/cve/CVE-2023-22792"
},
{
"category": "external",
"summary": "SUSE Bug 1207455 for CVE-2023-22792",
"url": "https://bugzilla.suse.com/1207455"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22792"
},
{
"cve": "CVE-2023-22795",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22795"
}
],
"notes": [
{
"category": "general",
"text": "A regular expression based DoS vulnerability in Action Dispatch \u003c6.1.7.1 and \u003c7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22795",
"url": "https://www.suse.com/security/cve/CVE-2023-22795"
},
{
"category": "external",
"summary": "SUSE Bug 1207451 for CVE-2023-22795",
"url": "https://bugzilla.suse.com/1207451"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2023-22795"
},
{
"cve": "CVE-2023-22797",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2023-22797"
}
],
"notes": [
{
"category": "general",
"text": "An open redirect vulnerability is fixed in Rails 7.0.4.1 with the new protection against open redirects from calling redirect_to with untrusted user input. In prior versions the developer was fully responsible for only providing trusted input. However the check introduced could allow an attacker to bypass with a carefully crafted URL resulting in an open redirect vulnerability.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2023-22797",
"url": "https://www.suse.com/security/cve/CVE-2023-22797"
},
{
"category": "external",
"summary": "SUSE Bug 1207449 for CVE-2023-22797",
"url": "https://bugzilla.suse.com/1207449"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2023-22797"
},
{
"cve": "CVE-2024-26143",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-26143"
}
],
"notes": [
{
"category": "general",
"text": "Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-26143",
"url": "https://www.suse.com/security/cve/CVE-2024-26143"
},
{
"category": "external",
"summary": "SUSE Bug 1220522 for CVE-2024-26143",
"url": "https://bugzilla.suse.com/1220522"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-26143"
},
{
"cve": "CVE-2024-28103",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-28103"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in 6.1.7.8, 7.0.8.2, and 7.1.3.3.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-28103",
"url": "https://www.suse.com/security/cve/CVE-2024-28103"
},
{
"category": "external",
"summary": "SUSE Bug 1225996 for CVE-2024-28103",
"url": "https://bugzilla.suse.com/1225996"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-28103"
},
{
"cve": "CVE-2024-41128",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-41128"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-41128",
"url": "https://www.suse.com/security/cve/CVE-2024-41128"
},
{
"category": "external",
"summary": "SUSE Bug 1231730 for CVE-2024-41128",
"url": "https://bugzilla.suse.com/1231730"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-41128"
},
{
"cve": "CVE-2024-47887",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2024-47887"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller\u0027s HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2024-47887",
"url": "https://www.suse.com/security/cve/CVE-2024-47887"
},
{
"category": "external",
"summary": "SUSE Bug 1231729 for CVE-2024-47887",
"url": "https://bugzilla.suse.com/1231729"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-actionpack-7.0-7.0.8.6-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2024-47887"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…