-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2021-22904.yml
62 lines (53 loc) · 1.5 KB
/
CVE-2021-22904.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
---
gem: actionpack
framework: rails
cve: 2021-22904
ghsa: 7wjx-3g7j-8584
url: https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ
title: Possible DoS Vulnerability in Action Controller Token Authentication
date: 2021-05-05
description: |
There is a possible DoS vulnerability in the Token Authentication logic in
Action Controller. This vulnerability has been assigned the CVE identifier
CVE-2021-22904.
Versions Affected: >= 4.0.0
Not affected: < 4.0.0
Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6
Impact
------
Impacted code uses `authenticate_or_request_with_http_token` or
`authenticate_with_http_token` for request authentication. Impacted code will
look something like this:
```
class PostsController < ApplicationController
before_action :authenticate
private
def authenticate
authenticate_or_request_with_http_token do |token, options|
# ...
end
end
end
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
The following monkey patch placed in an initializer can be used to work around
the issue:
```ruby
module ActionController::HttpAuthentication::Token
AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end
```
cvss_v3: 7.5
unaffected_versions:
- "< 4.0.0"
patched_versions:
- "~> 5.2.4.6"
- "~> 5.2.6"
- "~> 6.0.3, >= 6.0.3.7"
- ">= 6.1.3.2"