Home > Vulnerability Database > CVE-2021-22902

Mend.io Vulnerability Database

CVE-2021-22902

Good to know:

Date: June 11, 2021

The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Language: Ruby

Severity Score

7.5

Related Resources (7)

Url: https://github.com/rails/rails/commit/40f82dc38fe3f21d41b9345a26ad23ac90cf31c9

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-22902

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2021-22902

Url: https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866

Url: https://security-tracker.debian.org/tracker/CVE-2021-22902

Url: https://hackerone.com/reports/1138654

Url: https://www.mend.io/vulnerability-database/CVE-2021-22902

Severity Score

7.5

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Top Fix

Upgrade Version

Upgrade to version actionpack - 6.0.3.7,6.1.3.2

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-22902

Good to know:

Date: June 11, 2021

Language: Ruby

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?