6.6

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-47887

GHSA ID

GHSA-vfg9-r3fq-jvx4

EPSS Score

0.53342%

CWE

CWE-1333

Published

10/15/2024

Updated

10/31/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-47887

CVE-2024-47887: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

There is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. This vulnerability has been assigned the CVE identifier CVE-2024-47887.

Impact

For applications using HTTP Token authentication via authenticate_or_request_with_http_token or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users on Ruby 3.2 are unaffected by this issue.

Credits

Thanks to scyoon for reporting

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-47887

CVE-2024-47887:

6.6

CVSS Score

4.0

-

CVSS Score

Basic Information

CVE ID

CVE-2024-47887

GHSA ID

GHSA-vfg9-r3fq-jvx4

EPSS Score

0.53342%

CWE

CWE-1333

Published

10/15/2024

Updated

10/31/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
actionpack	rubygems	>= 4.0.0, < 6.1.7.9	6.1.7.9
actionpack	rubygems	>= 7.0.0, < 7.0.8.5	7.0.8.5
actionpack

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers around HTTP Token authentication methods like authenticate_or_request_with_http_token. These methods ultimately call the Token.authenticate and token_and_options methods in http_authentication.rb, which use regex patterns to parse Authorization headers. The advisory's mention of Ruby 3.2's regex mitigations and the CWE-1333 classification strongly suggests a vulnerable regex pattern in these authentication handlers. While exact commit diffs aren't available, the described impact pattern matches the known authentication flow in these files.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.6

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-47887: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

Impact

Releases

Workarounds

Credits

CVE-2024-47887:

6.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-47887: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller

Impact

Releases

Workarounds

Credits

6.6

6.6

Basic Information

Basic Information

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI