Vulnerability Name:

CVE-2021-22904 (CCN-201283)

Assigned:2021-05-05
Published:2021-05-05
Updated:2021-09-20
Summary:The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-22904

Source: MISC
Type: Exploit, Mitigation, Patch, Vendor Advisory
https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

Source: XF
Type: UNKNOWN
rubyonrails-cve202122904-dos(201283)

Source: MISC
Type: Permissions Required, Third Party Advisory
https://hackerone.com/reports/1101125

Source: CCN
Type: Ruby on Rails Web site
Ruby on Rails

Source: CCN
Type: oss-sec Mailing List, Wed, 5 May 2021 09:40:31 -0700
[CVE-2021-22904] Possible DoS Vulnerability in Action Controller Token Authentication

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210805-0009/

Source: CCN
Type: IBM Security Bulletin 6475299 (Cloud Pak for Multicloud Management)
A security vulnerability in Ruby on Rails affects IBM Cloud Pak for Multicloud Management Infrastructure Management

Vulnerable Configuration:Configuration 1:
  • cpe:/a:rubyonrails:rails:*:*:*:*:*:*:*:* (Version < 5.2.4.6)
  • OR cpe:/a:rubyonrails:rails:*:*:*:*:*:*:*:* (Version >= 5.2.5 and < 5.2.6)
  • OR cpe:/a:rubyonrails:rails:*:*:*:*:*:*:*:* (Version >= 6.0.0 and < 6.0.3.7)
  • OR cpe:/a:rubyonrails:rails:*:*:*:*:*:*:*:* (Version >= 6.1.0 and < 6.1.3.2)

  • Configuration CCN 1:
  • cpe:/a:rubyonrails:ruby_on_rails:4.0.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:3778
    P
    rsync-3.1.3-1.19 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:118648
    P
    Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (Important)
    2022-06-16
    oval:org.opensuse.security:def:1753
    P
    Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (Important)
    2022-06-16
    oval:org.opensuse.security:def:530
    P
    Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (Important)
    2022-06-16
    oval:org.opensuse.security:def:95411
    P
    Security update for rubygem-actionpack-5_1, rubygem-activesupport-5_1 (Important)
    2022-06-16
    oval:org.opensuse.security:def:113370
    P
    ruby2.7-rubygem-actionpack-5.2-5.2.6-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113371
    P
    ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106777
    P
    ruby2.7-rubygem-actionpack-5.2-5.2.6-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:106778
    P
    ruby2.7-rubygem-actionpack-6.0-6.0.4-1.2 on GA media (Moderate)
    2021-10-01
    BACK
    rubyonrails rails *
    rubyonrails rails *
    rubyonrails rails *
    rubyonrails rails *
    rubyonrails ruby on rails 4.0.0