Miggo Logo

CVE-2021-4250: active_attr Improper Resource Shutdown or Release vulnerability

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.17095%
Published
12/19/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
active_attrrubygems< 0.15.40.15.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the regex pattern in the BooleanTypecaster's call method. The commit diff shows the fix replaces '+' quantifiers with possessive '++' in the regex to prevent backtracking. The issue #184 explicitly identifies this regex as the ReDoS vector, and the CWE-404 classification aligns with resource exhaustion via unoptimized regex processing. The function's role in processing user-controllable 'value' arguments makes it the clear entry point for exploitation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility *l*ssi*i** *s pro*l*m*ti* **s ***n *oun* in **ri**o **tiv*_*ttr up to *.**.*. T*is *****ts t** *un*tion **ll o* t** *il* li*/**tiv*_*ttr/typ***stin*/*ool**n_typ***st*r.r* o* t** *ompon*nt R***x **n*l*r. T** m*nipul*tion o* t** *r*um*n

Reasoning

T** vuln*r**ility st*ms *rom t** r***x p*tt*rn in t** *ool**nTyp***st*r's **ll m*t*o*. T** *ommit *i** s*ows t** *ix r*pl***s '+' qu*nti*i*rs wit* poss*ssiv* '++' in t** r***x to pr*v*nt ***ktr**kin*. T** issu* #*** *xpli*itly i**nti*i*s t*is r***x *