CVE-2023-22792
Denial of Service vulnerability in actionpack (RubyGems)
What is CVE-2023-22792 About?
This regular expression-based denial of service vulnerability in Action Dispatch enables attackers to trigger catastrophic backtracking in the regex engine. By combining specially crafted cookies with a malicious `X_FORWARDED_HOST` header, attackers can consume significant CPU and memory resources. Exploitation is remote and requires specific header and cookie manipulations.
Affected Software
- actionpack
- >=7.0.0, <7.0.4.1
- >=6.0.0, <6.1.7.1
- >=3.0.0, <5.2.8.15
Technical Details
The vulnerability stems from the way Action Dispatch processes cookies and the X_FORWARDED_HOST header, specifically through a regular expression used for parsing domain parts. When crafted in a particular malicious manner, the input strings (cookies and X_FORWARDED_HOST header) can cause the regex engine to enter a state of catastrophic backtracking. This means the engine tries an exponentially increasing number of paths to match the pattern, leading to excessive CPU utilization and memory consumption, ultimately causing a denial of service.
What is the Impact of CVE-2023-22792?
Successful exploitation may allow attackers to cause the application to become unresponsive or crash, leading to a denial of service for legitimate users and hindering business operations.
What is the Exploitability of CVE-2023-22792?
Exploitation requires the ability to send specific HTTP requests with specially crafted cookies and an X_FORWARDED_HOST header. This makes the exploitation complexity moderate, as the attacker needs to understand the format that triggers catastrophic backtracking. No authentication or specific privileges are required, as the vulnerability affects header parsing. This is a remote attack. The presence of a load balancer or reverse proxy that validates or filters X_FORWARDED_HOST headers could mitigate or prevent exploitation. Without such a defense, the likelihood of exploitation increases significantly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22792?
Available Upgrade Options
- actionpack
- >=3.0.0, <5.2.8.15 → Upgrade to 5.2.8.15
- actionpack
- >=6.0.0, <6.1.7.1 → Upgrade to 6.1.7.1
- actionpack
- >=7.0.0, <7.0.4.1 → Upgrade to 7.0.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://nvd.nist.gov/vuln/detail/CVE-2023-22792
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://security.netapp.com/advisory/ntap-20240202-0007
- https://github.com/rails/rails
- https://security.netapp.com/advisory/ntap-20240202-0007/
- https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115
- https://www.debian.org/security/2023/dsa-5372
- https://www.debian.org/security/2023/dsa-5372
- https://osv.dev/vulnerability/GHSA-p84v-45xj-wwqj
What are Similar Vulnerabilities to CVE-2023-22792?
Similar Vulnerabilities: CVE-2022-44570 , CVE-2021-38171 , CVE-2020-8197 , CVE-2018-3741 , CVE-2016-6316
