Package Instance

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ

reference_url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html

reference_url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240119-0013

reference_url	https://security.netapp.com/advisory/ntap-20240119-0013/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240119-0013/

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2022/02/11/5

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389
reference_id	1005389
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149
reference_id	2063149
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2063149

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_id

CVE-2022-23633

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-23633

reference_url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wh98-p28r-vrc9

reference_url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_id

GHSA-wh98-p28r-vrc9

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9

reference_url	https://access.redhat.com/errata/RHSA-2022:5498
reference_id	RHSA-2022:5498
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:5498

fixed_packages

url pkg:gem/rails@6.0.4.6

purl pkg:gem/rails@6.0.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.4.6

url pkg:gem/rails@6.1.0.rc1

purl pkg:gem/rails@6.1.0.rc1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.0.rc1

url pkg:gem/rails@6.1.4.6

purl pkg:gem/rails@6.1.4.6

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.4.6

url	pkg:gem/rails@7.0.0.alpha1
purl	pkg:gem/rails@7.0.0.alpha1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.0.alpha1

url pkg:gem/rails@7.0.2.2

purl pkg:gem/rails@7.0.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-sbuv-a22t-bbe2

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.2.2

aliases CVE-2022-23633, GHSA-wh98-p28r-vrc9

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2fra-ffky-97ce

url VCID-cuqq-33dv-xqfh

vulnerability_id VCID-cuqq-33dv-xqfh

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22885

reference_id

reference_type

scores

value	0.01264
scoring_system	epss
scoring_elements	0.79811
published_at	2026-06-06T12:55:00Z

value	0.01264
scoring_system	epss
scoring_elements	0.79805
published_at	2026-06-05T12:55:00Z

value	0.01264
scoring_system	epss
scoring_elements	0.7978
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI

reference_url

https://hackerone.com/reports/1106652

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1106652

reference_url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_url	https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210805-0009/

reference_url	https://www.debian.org/security/2021/dsa-4929
reference_id
reference_type
scores
url	https://www.debian.org/security/2021/dsa-4929

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1957441
reference_id	1957441
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1957441

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id	988214
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214

reference_url

reference_id

AVG-1920

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-1921

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2090

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2223

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22885

reference_url

reference_id

CVE-2021-22885

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22885

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

fixed_packages

url pkg:gem/rails@6.0.3.7

purl pkg:gem/rails@6.0.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7

url pkg:gem/rails@6.1.3.1

purl pkg:gem/rails@6.1.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.1

aliases CVE-2021-22885, GHSA-hjg4-8q5f-x6fm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cuqq-33dv-xqfh

url VCID-h52p-drh6-xfg4

vulnerability_id VCID-h52p-drh6-xfg4

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22902

reference_id

reference_type

scores

value	0.00677
scoring_system	epss
scoring_elements	0.71953
published_at	2026-06-06T12:55:00Z

value	0.00677
scoring_system	epss
scoring_elements	0.71906
published_at	2026-06-04T12:55:00Z

value	0.00677
scoring_system	epss
scoring_elements	0.71945
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22902

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c

reference_url

https://hackerone.com/reports/1138654

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1138654

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1961382
reference_id	1961382
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1961382

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id	988214
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214

reference_url

reference_id

AVG-2090

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2223

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22902

reference_url

reference_id

CVE-2021-22902

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22902

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

fixed_packages

url pkg:gem/rails@6.0.3.7

purl pkg:gem/rails@6.0.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7

url pkg:gem/rails@6.1.1

purl pkg:gem/rails@6.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vh3y-nfex-rkcw

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.1

aliases CVE-2021-22902, GHSA-g8ww-46x2-2p65

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h52p-drh6-xfg4

url VCID-nhny-abkr-6qhb

vulnerability_id VCID-nhny-abkr-6qhb

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_id

reference_type

scores

value	0.01304
scoring_system	epss
scoring_elements	0.80129
published_at	2026-06-06T12:55:00Z

value	0.01304
scoring_system	epss
scoring_elements	0.80125
published_at	2026-06-05T12:55:00Z

value	0.01304
scoring_system	epss
scoring_elements	0.80099
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f

reference_url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0

reference_url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592

reference_url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.7.1

reference_url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799
reference_id	2164799
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164799

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_id

CVE-2023-22795

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22795

reference_url	https://github.com/advisories/GHSA-8xww-x3g3-6jcv
reference_id	GHSA-8xww-x3g3-6jcv
reference_type
scores
url	https://github.com/advisories/GHSA-8xww-x3g3-6jcv

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/rails@6.1.7.1

purl pkg:gem/rails@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1

url pkg:gem/rails@7.0.4.1

purl pkg:gem/rails@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1

aliases CVE-2023-22795, GHSA-8xww-x3g3-6jcv, GMS-2023-56

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhny-abkr-6qhb

url VCID-qe2s-6tzh-cqfv

vulnerability_id VCID-qe2s-6tzh-cqfv

summary open redirect

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22942

reference_id

reference_type

scores

value	0.00533
scoring_system	epss
scoring_elements	0.67768
published_at	2026-06-05T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67727
published_at	2026-06-04T12:55:00Z

value	0.00533
scoring_system	epss
scoring_elements	0.67775
published_at	2026-06-06T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c

reference_url

reference_id

reference_type

scores

value	7.6
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0005

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0005

reference_url

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released

reference_url	https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/
reference_id
reference_type
scores
url	https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1995940
reference_id	1995940
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1995940

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586
reference_id	992586
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586

reference_url

https://security.archlinux.org/AVG-2492

reference_id

AVG-2492

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2492

reference_url

https://security.archlinux.org/AVG-2493

reference_id

AVG-2493

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-2493

reference_url

https://access.redhat.com/security/cve/cve-2021-22942

reference_id

CVE-2021-22942

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/cve-2021-22942

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22942

reference_id

CVE-2021-22942

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22942

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml

reference_id

CVE-2021-22942.YML

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml

reference_url	https://github.com/advisories/GHSA-2rqw-v265-jf8c
reference_id	GHSA-2rqw-v265-jf8c
reference_type
scores
url	https://github.com/advisories/GHSA-2rqw-v265-jf8c

fixed_packages

url pkg:gem/rails@6.0.4.1

purl pkg:gem/rails@6.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.4.1

url pkg:gem/rails@6.1.4.1

purl pkg:gem/rails@6.1.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.4.1

aliases CVE-2021-22942, GHSA-2rqw-v265-jf8c

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qe2s-6tzh-cqfv

url VCID-sw7t-5s3e-vkhx

vulnerability_id VCID-sw7t-5s3e-vkhx

summary

ReDoS based DoS vulnerability in Action Dispatch
There is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_id

reference_type

scores

value	0.02264
scoring_system	epss
scoring_elements	0.84962
published_at	2026-06-06T12:55:00Z

value	0.02264
scoring_system	epss
scoring_elements	0.84933
published_at	2026-06-04T12:55:00Z

value	0.02264
scoring_system	epss
scoring_elements	0.84957
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796

reference_url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v7.0.4.1

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml

reference_url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240202-0007

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
reference_id	1030050
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800
reference_id	2164800
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164800

reference_url

reference_id

CVE-2023-22792

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-22792

reference_url	https://github.com/advisories/GHSA-p84v-45xj-wwqj
reference_id	GHSA-p84v-45xj-wwqj
reference_type
scores
url	https://github.com/advisories/GHSA-p84v-45xj-wwqj

reference_url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_id

ntap-20240202-0007

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/

url

https://security.netapp.com/advisory/ntap-20240202-0007/

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

fixed_packages

url pkg:gem/rails@6.0.6.1

purl pkg:gem/rails@6.0.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.6.1

url pkg:gem/rails@6.1.7.1

purl pkg:gem/rails@6.1.7.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1

url pkg:gem/rails@7.0.4.1

purl pkg:gem/rails@7.0.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bfqq-ypyw-dycj

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1

aliases CVE-2023-22792, GHSA-p84v-45xj-wwqj, GMS-2023-58

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sw7t-5s3e-vkhx

url VCID-tctm-uptk-1kcx

vulnerability_id VCID-tctm-uptk-1kcx

summary

Possible Open Redirect in Host Authorization Middleware
There is a possible open redirect vulnerability in the Host Authorization
middleware in Action Pack. This vulnerability has been assigned the CVE
identifier CVE-2021-22881.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.1.2.1, 6.0.3.5

Impact
------
Specially crafted "Host" headers in combination with certain "allowed host"
formats can cause the Host Authorization middleware in Action Pack to redirect
users to a malicious website.

Impacted applications will have allowed hosts with a leading dot.  For
example, configuration files that look like this:

```
config.hosts <<  '.tkte.ch'
```

When an allowed host contains a leading dot, a specially crafted Host header
can be used to redirect to a malicious website.

Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

```ruby
module ActionDispatch
  class HostAuthorization
    private
      def authorized?(request)
        valid_host = /
          \A
          (?<host>[a-z0-9.-]+|\[[a-f0-9]*:[a-f0-9\.:]+\])
          (:\d+)?
          \z
        /x

        origin_host = valid_host.match(
          request.get_header("HTTP_HOST").to_s.downcase)
        forwarded_host = valid_host.match(
          request.x_forwarded_host.to_s.split(/,\s?/).last)

        origin_host && @permissions.allows?(origin_host[:host]) && (
          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))
      end
  end
end
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22881

reference_id

reference_type

scores

value	0.15453
scoring_system	epss
scoring_elements	0.94792
published_at	2026-06-06T12:55:00Z

value	0.15453
scoring_system	epss
scoring_elements	0.94791
published_at	2026-06-05T12:55:00Z

value	0.15453
scoring_system	epss
scoring_elements	0.94782
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22881

reference_url

https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md

reference_url

https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E

reference_url

https://hackerone.com/reports/1047447

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1047447

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/05/05/2

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/05/05/2

reference_url

http://www.openwall.com/lists/oss-security/2021/08/20/1

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/08/20/1

reference_url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2021/12/14/5

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1930211
reference_id	1930211
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1930211

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22881

reference_id

CVE-2021-22881

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22881

fixed_packages

url pkg:gem/rails@6.0.3.5

purl pkg:gem/rails@6.0.3.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.5

url pkg:gem/rails@6.1.2.1

purl pkg:gem/rails@6.1.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.2.1

aliases CVE-2021-22881, GHSA-8877-prq4-9xfw

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tctm-uptk-1kcx

url VCID-ugdk-t2vk-nkfc

vulnerability_id VCID-ugdk-t2vk-nkfc

summary multiple issues

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22904

reference_id

reference_type

scores

value	0.03338
scoring_system	epss
scoring_elements	0.87521
published_at	2026-06-04T12:55:00Z

value	0.03338
scoring_system	epss
scoring_elements	0.87541
published_at	2026-06-06T12:55:00Z

value	0.03338
scoring_system	epss
scoring_elements	0.87543
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22904

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v5.2.4.6

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v5.2.4.6

reference_url

https://github.com/rails/rails/releases/tag/v5.2.6

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v5.2.6

reference_url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.0.3.7

reference_url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rails/rails/releases/tag/v6.1.3.2

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ

reference_url

https://hackerone.com/reports/1101125

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1101125

reference_url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_url	https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210805-0009/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1961379
reference_id	1961379
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1961379

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214
reference_id	988214
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214

reference_url

reference_id

AVG-1920

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-1921

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2090

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

reference_url

reference_id

AVG-2223

reference_type

scores

value	Medium
scoring_system	archlinux
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22904

reference_url

reference_id

CVE-2021-22904

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22904

reference_url	https://access.redhat.com/errata/RHSA-2021:4702
reference_id	RHSA-2021:4702
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:4702

fixed_packages

url pkg:gem/rails@6.0.3.7

purl pkg:gem/rails@6.0.3.7

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7

url pkg:gem/rails@6.1.3.2

purl pkg:gem/rails@6.1.3.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.2

aliases CVE-2021-22904, GHSA-7wjx-3g7j-8584

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ugdk-t2vk-nkfc

url VCID-uusn-n8vk-2bcm

vulnerability_id VCID-uusn-n8vk-2bcm

summary

Possible XSS Vulnerability in Action Pack in Development Mode
There is a possible XSS vulnerability in Action Pack while the application
server is in development mode.  This vulnerability is in the Actionable
Exceptions middleware.  This vulnerability has been assigned the CVE
identifier CVE-2020-8264.

Versions Affected:  >= 6.0.0
Not affected:       < 6.0.0
Fixed Versions:     6.0.3.4

Impact
------
When an application is running in development mode, and attacker can send or
embed (in another page) a specially crafted URL which can allow the attacker
to execute JavaScript in the context of the local application.

Workarounds
-----------
Until such time as the patch can be applied, application developers should
disable the Actionable Exceptions middleware in their development environment via
a line such as this one in their config/environment/development.rb:

`config.middleware.delete ActionDispatch::ActionableExceptions`

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json

reference_id

reference_type

scores

value	7.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8264.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8264

reference_id

reference_type

scores

value	0.0205
scoring_system	epss
scoring_elements	0.84214
published_at	2026-06-06T12:55:00Z

value	0.0205
scoring_system	epss
scoring_elements	0.84211
published_at	2026-06-05T12:55:00Z

value	0.0205
scoring_system	epss
scoring_elements	0.84187
published_at	2026-06-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8264

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8264

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2020-8264.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk

reference_url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/yQzUVfv42jk/m/oJWw-xhNAQAJ

reference_url

https://hackerone.com/reports/904059

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/904059

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1886554
reference_id	1886554
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1886554

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988
reference_id	971988
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971988

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8264

reference_id

CVE-2020-8264

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8264

fixed_packages

url pkg:gem/rails@6.0.3.4

purl pkg:gem/rails@6.0.3.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-tctm-uptk-1kcx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-vh3y-nfex-rkcw

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.4

aliases CVE-2020-8264, GHSA-35mm-cc6r-8fjp

risk_score 3.5

exploitability 0.5

weighted_severity 6.9

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uusn-n8vk-2bcm

url VCID-vh3y-nfex-rkcw

vulnerability_id VCID-vh3y-nfex-rkcw

summary

Possible DoS Vulnerability in Active Record PostgreSQL adapter
There is a possible DoS vulnerability in the PostgreSQL adapter in Active
Record. This vulnerability has been assigned the CVE identifier CVE-2021-22880.

Versions Affected:  >= 4.2.0
Not affected:       < 4.2.0
Fixed Versions:     6.1.2.1, 6.0.3.5, 5.2.4.5

Impact
------
Carefully crafted input can cause the input validation in the "money" type of
the PostgreSQL adapter in Active Record to spend too much time in a regular
expression, resulting in the potential for a DoS attack.

This only impacts Rails applications that are using PostgreSQL along with
money type columns that take user input.

Workarounds
-----------
In the case a patch can't be applied, the following monkey patch can be used
in an initializer:

```
module ActiveRecord
  module ConnectionAdapters
    module PostgreSQL
      module OID # :nodoc:
        class Money < Type::Decimal # :nodoc:
          def cast_value(value)
            return value unless ::String === value

            value = value.sub(/^\((.+)\)$/, '-\1') # (4)
            case value
            when /^-?\D*+[\d,]+\.\d{2}$/  # (1)
              value.gsub!(/[^-\d.]/, "")
            when /^-?\D*+[\d.]+,\d{2}$/  # (2)
              value.gsub!(/[^-\d,]/, "").sub!(/,/, ".")
            end

            super(value)
          end
        end
      end
    end
  end
end
```

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-22880

reference_id

reference_type

scores

value	0.02599
scoring_system	epss
scoring_elements	0.85914
published_at	2026-06-06T12:55:00Z

value	0.02599
scoring_system	epss
scoring_elements	0.85889
published_at	2026-06-04T12:55:00Z

value	0.02599
scoring_system	epss
scoring_elements	0.85911
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904

reference_url

https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI

reference_url

https://hackerone.com/reports/1023899

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1023899

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3

reference_url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/
reference_id
reference_type
scores
url	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/

reference_url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20210805-0009

reference_url	https://security.netapp.com/advisory/ntap-20210805-0009/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20210805-0009/

reference_url

https://www.debian.org/security/2021/dsa-4929

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.debian.org/security/2021/dsa-4929

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1930102
reference_id	1930102
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1930102

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-22880

reference_id

CVE-2021-22880

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-22880

fixed_packages

url pkg:gem/rails@6.0.3.5

purl pkg:gem/rails@6.0.3.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-h52p-drh6-xfg4

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.5

url pkg:gem/rails@6.1.2.1

purl pkg:gem/rails@6.1.2.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-2fra-ffky-97ce

vulnerability	VCID-9t5z-1umq-qbe4

vulnerability	VCID-cuqq-33dv-xqfh

vulnerability	VCID-nhny-abkr-6qhb

vulnerability	VCID-qe2s-6tzh-cqfv

vulnerability	VCID-sw7t-5s3e-vkhx

vulnerability	VCID-ugdk-t2vk-nkfc

vulnerability	VCID-uhm1-xeqs-auec

vulnerability	VCID-vsdb-j5zk-5kfw

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.2.1

aliases CVE-2021-22880, GHSA-8hc4-xxm3-5ppp

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vh3y-nfex-rkcw

url VCID-vsdb-j5zk-5kfw

vulnerability_id VCID-vsdb-j5zk-5kfw

summary

Rails has possible Sensitive Session Information Leak in Active Storage
# Possible Sensitive Session Information Leak in Active Storage

There is a possible sensitive session information leak in Active Storage.  By
default, Active Storage sends a `Set-Cookie` header along with the user's
session cookie when serving blobs.  It also sets `Cache-Control` to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected:  >= 5.2.0, < 7.1.0
Not affected:       < 5.2.0, > 7.1.0
Fixed Versions:     7.0.8.1, 6.1.7.7

Impact
------
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker's session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
Set-Cookie headers.

Credits
-------

Thanks to [tyage](https://hackerone.com/tyage) for reporting this!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26144

reference_id

reference_type

scores

value	0.02363
scoring_system	epss
scoring_elements	0.85259
published_at	2026-06-06T12:55:00Z

value	0.02363
scoring_system	epss
scoring_elements	0.85253
published_at	2026-06-05T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26144

reference_url

https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/

url

https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url