CVE-2023-22795.yml

---
gem: actionpack
framework: rails
cve: 2023-22795
ghsa: 8xww-x3g3-6jcv
url: /~https://github.com/rails/rails/releases/tag/v7.0.4.1
title: ReDoS based DoS vulnerability in Action Dispatch
date: 2023-01-18
description: |
  There is a possible regular expression based DoS vulnerability in Action
  Dispatch related to the If-None-Match header. This vulnerability has been
  assigned the CVE identifier CVE-2023-22795.

  Versions Affected: All
  Not affected: None
  Fixed Versions: 5.2.8.15 (Rails LTS), 6.1.7.1, 7.0.4.1

  # Impact

  A specially crafted HTTP If-None-Match header can cause the regular
  expression engine to enter a state of catastrophic backtracking, when on a
  version of Ruby below 3.2.0. This can cause the process to use large amounts
  of CPU and memory, leading to a possible DoS vulnerability All users running
  an affected release should either upgrade or use one of the workarounds
  immediately.

  # Workarounds

  We recommend that all users upgrade to one of the FIXED versions. In the
  meantime, users can mitigate this vulnerability by using a load balancer or
  other device to filter out malicious If-None-Match headers before they reach
  the application.

  Users on Ruby 3.2.0 or greater are not affected by this vulnerability.
patched_versions:
  - "~> 5.2.8, >= 5.2.8.15"  # Rails LTS
  - "~> 6.1.7, >= 6.1.7.1"
  - ">= 7.0.4.1"