CVE-2023-22792

moderate-risk

Published 2023-02-09

A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

Do I need to act?

2.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (1)

Rails

Affected Vendors

Rubyonrails

References (6)

Patch https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulner...

https://security.netapp.com/advisory/ntap-20240202-0007/

https://www.debian.org/security/2023/dsa-5372

Patch https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulner...

https://security.netapp.com/advisory/ntap-20240202-0007/

https://www.debian.org/security/2023/dsa-5372

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 6/34 · Minimal

Exposure 5/34 · Minimal