CVE-2024-26142
Published: 27 February 2024
Summary
CVE-2024-26142 is a high-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Rubyonrails Rails. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 12.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-0663
Vulnerability details
Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications…
more
using Ruby 3.2 or newer are unaffected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS vulnerability in Rails Action Dispatch Accept header parsing enables CPU exhaustion via crafted HTTP requests, facilitating application exploitation for endpoint denial of service.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.