CVE-2023-22795
Denial of Service (DoS) vulnerability in actionpack (RubyGems)
What is CVE-2023-22795 About?
This vulnerability in Action Dispatch can lead to a Denial of Service due to a regular expression issue. A specially crafted 'If-None-Match' header can trigger catastrophic backtracking in the regex engine, consuming excessive CPU and memory. Exploitation is relatively easy for an unauthenticated remote attacker, leading to system unavailability.
Affected Software
- actionpack
- >=7.0.0, <7.0.4.1
- >=4.0.0.beta1, <6.1.7.1
Technical Details
The vulnerability, assigned CVE-2023-22795, is a regular expression based Denial of Service (ReDoS) affecting Action Dispatch, particularly on Ruby versions below 3.2.0. The susceptibility lies in how the application processes the 'If-None-Match' HTTP header. A remote attacker can send a specially crafted 'If-None-Match' header where the pattern within the header, upon evaluation by the regular expression engine, causes catastrophic backtracking. This computational inefficiency leads to a significant increase in CPU usage and memory consumption by the process handling the request. The prolonged processing time and resource exhaustion can effectively halt the application's ability to respond to legitimate requests, thereby causing a Denial of Service condition.
What is the Impact of CVE-2023-22795?
Successful exploitation may allow attackers to consume excessive system resources, leading to a denial of service and making the application unavailable to legitimate users.
What is the Exploitability of CVE-2023-22795?
Exploitation is relatively simple and can be performed remotely without any authentication or specific privileges. An attacker merely needs to send a specially crafted HTTP 'If-None-Match' header to the vulnerable application. The primary prerequisites are that the application is running Ruby on Rails with a Ruby version below 3.2.0. The complexity lies in crafting an effective payload that reliably triggers catastrophic backtracking. Workarounds include using a load balancer to filter malicious headers or upgrading Ruby. The risk factor is high due to the lack of authentication and the potential for easy remote exploitation against vulnerable configurations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22795?
Available Upgrade Options
- actionpack
- >=4.0.0.beta1, <6.1.7.1 → Upgrade to 6.1.7.1
- actionpack
- >=7.0.0, <7.0.4.1 → Upgrade to 7.0.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
- https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://osv.dev/vulnerability/GHSA-8xww-x3g3-6jcv
- https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
- https://nvd.nist.gov/vuln/detail/CVE-2023-22795
- https://www.debian.org/security/2023/dsa-5372
- https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
What are Similar Vulnerabilities to CVE-2023-22795?
Similar Vulnerabilities: CVE-2022-37454 , CVE-2020-8116 , CVE-2021-43818 , CVE-2021-3807 , CVE-2020-13936
