CVE-2021-22904

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-22904

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-22904.json

Aliases

• GHSA-7wjx-3g7j-8584

Related

• DLA-2655-1
• DSA-4929-1

Published

2021-06-11T16:15:11Z

Modified

2023-11-29T08:42:38.559936Z

Details

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication.

References

• https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869
• https://security.netapp.com/advisory/ntap-20210805-0009/
• https://hackerone.com/reports/1101125