CVE-2023-22796
DoS vulnerability in activesupport (RubyGems)
What is CVE-2023-22796 About?
This is a regular expression-based Denial of Service (DoS) vulnerability in Active Support, where a specially crafted string can trigger catastrophic backtracking. This can lead to high CPU and memory usage, effectively disrupting service availability. Exploitation is relatively easy if an attacker can control input to affected methods.
Affected Software
- activesupport
- <6.1.7.1
- >=7.0.0, <7.0.4.1
Technical Details
The vulnerability resides in Active Support's string manipulation methods, specifically String#underscore and ActiveSupport::Inflector.underscore, including other methods that rely on them like String#titleize. A maliciously crafted input string, when processed by these methods, forces the underlying regular expression engine into a state of 'catastrophic backtracking.' This occurs when the regex engine, attempting to match a pattern, explores an excessive number of paths due to overlapping quantifiers or poorly constructed patterns, consuming disproportionately large amounts of CPU cycles and memory. The immense resource consumption stalls legitimate processing, leading to a Denial of Service condition on the affected system.
What is the Impact of CVE-2023-22796?
Successful exploitation may allow attackers to disrupt the availability of the affected system or application by consuming excessive CPU and memory resources, leading to a Denial of Service condition.
What is the Exploitability of CVE-2023-22796?
Exploitation of this vulnerability requires the ability to submit specially crafted strings to an application utilizing the vulnerable Active Support methods (e.g., String#underscore). The complexity is low as it's an input validation flaw, and no authentication or prior privileges are required if the input vector is exposed to unauthenticated users. It can be exploited remotely if the application accepts external input that is subsequently processed by affected methods. The primary risk factor increasing likelihood is any web application or system that allows user-controlled string input which is then passed to Active Support's string inflection functionalities.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22796?
Available Upgrade Options
- activesupport
- <6.1.7.1 → Upgrade to 6.1.7.1
- activesupport
- >=7.0.0, <7.0.4.1 → Upgrade to 7.0.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails
- https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
- https://nvd.nist.gov/vuln/detail/CVE-2023-22796
- https://discuss.rubyonrails.org/t/cve-2023-22796-possible-redos-based-dos-vulnerability-in-active-supports-underscore/82116
- https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
- https://security.netapp.com/advisory/ntap-20240202-0009/
- https://github.com/rails/rails/releases/tag/v7.0.4.1
- https://github.com/rails/rails/commit/a7cda7e6aa5334ab41b1f4b0f671be931be946ef
- https://github.com/rails/rails/releases/tag/v6.1.7.1
- https://osv.dev/vulnerability/GHSA-j6gc-792m-qgm2
What are Similar Vulnerabilities to CVE-2023-22796?
Similar Vulnerabilities: CVE-2019-11026 , CVE-2020-8187 , CVE-2015-8241 , CVE-2016-10707 , CVE-2021-22920
