CVE-2021-22902 — Denial of Service in Action Dispatch

Description

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

How to fix CVE-2021-22902

To remediate CVE-2021-22902, upgrade the affected package to a fixed version below.

—upgrade to 2:6.0.3.7+dfsg-1 or later
—upgrade to 6.0.3.7 or later

Is CVE-2021-22902 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2:6.0.3.7+dfsg-1
>= 6.0.0, < 6.0.3.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-22902
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-22902
WEBdiscuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866
WEBgithub.com/rails/rails/releases/tag/v6.0.3.7