DoS via regex backtrack in Rails ActiveSupport <6.1.7.1/7.0.4.1 underscore
CVE-2023-22796 Published on February 9, 2023
A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted string passed to the underscore method can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability.
Weakness Type
What is a Resource Exhaustion Vulnerability?
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
CVE-2023-22796 has been classified to as a Resource Exhaustion vulnerability or weakness.
Products Associated with CVE-2023-22796
stack.watch emails you whenever new vulnerabilities are published in Activesupportproject Activesupport or Ruby on Rails Rails. Just hit a watch button to start following.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.