Home > Vulnerability Database > CVE-2024-41128

Mend.io Vulnerability Database

CVE-2024-41128

Good to know:

Date: October 16, 2024

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Language: Ruby

Severity Score

7.5

Related Resources (11)

Url: https://github.com/rails/rails

Url: https://github.com/rails/rails/commit/b0fe99fa854ec8ff4498e75779b458392d1560ef

Url: https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd

Url: https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891

Url: https://github.com/rails/rails/commit/27121e80f6dbb260f5a9f0452cd8411cb681f075

Url: https://access.redhat.com/security/cve/cve-2024-41128

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2319036

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-41128

Url: https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj

Url: https://www.mend.io/vulnerability-database/CVE-2024-41128

Severity Score

7.5

Weakness Type (CWE)

Allocation of Resources Without Limits or Throttling

CWE-770

Top Fix

Upgrade Version

Upgrade to version actionpack - 6.1.7.9,7.0.8.5,7.1.4.1,7.2.1.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-41128

Good to know:

Date: October 16, 2024

Language: Ruby

Severity Score

Related Resources (11)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?