search

ManageIQ / manageiq-rpm_build

Code to build RPMs for ManageIQ appliances and container images
Apache License 2.0
10 stars 25 forks source link

CVE-2024-47887 (Medium) detected in actionpack-7.2.1.gem - autoclosed #515

Closed mend-bolt-for-github[bot] closed 3 weeks ago

mend-bolt-for-github[bot] commented 1 month ago

CVE-2024-47887 - Medium Severity Vulnerability

Vulnerable Library - actionpack-7.2.1.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-7.2.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/actionpack-7.2.1.gem

Dependency Hierarchy: - rspec-rails-5.1.2.gem (Root Library) - :x: **actionpack-7.2.1.gem** (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Publish Date: 2024-10-16

URL: CVE-2024-47887

CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/rails/rails/security/advisories/GHSA-vfg9-r3fq-jvx4

Release Date: 2024-10-16

Fix Resolution: actionpack - 6.1.7.9,7.0.8.5,7.1.4.1,7.2.1.1

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 3 weeks ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.