{"url":"http://public2.vulnerablecode.io/api/packages/79752?format=json","purl":"pkg:gem/rails@6.0.3.5","type":"gem","namespace":"","name":"rails","version":"6.0.3.5","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.1.7.7","latest_non_vulnerable_version":"7.1.3.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/42380?format=json","vulnerability_id":"VCID-2fra-ffky-97ce","summary":"Exposure of information in Action Pack\nAction Pack is a framework for handling and responding to web requests. Under certain circumstances response bodies will not be closed. In the event a response is *not* notified of a `close`, `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead to data being leaked to subsequent requests. This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and 5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-wh98-p28r-vrc9 can be used.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-23633.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23633","reference_id":"","reference_type":"","scores":[{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.4034","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.4042","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2022-23633-possible-exposure-of-information-vulnerability-in-action-pack/80016"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/f9a2ad03943d5c2ba54e1d45f155442b519c75da"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2022-23633.yml"},{"reference_url":"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/ruby-security-ann/c/FkTM-_7zSNA/m/K2RiMJBlBAAJ"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2022/09/msg00002.html"},{"reference_url":"https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2022/2/11/Rails-7-0-2-2-6-1-4-6-6-0-4-6-and-5-2-6-2-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240119-0013","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240119-0013"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240119-0013/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20240119-0013/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"http://www.openwall.com/lists/oss-security/2022/02/11/5","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2022/02/11/5"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389","reference_id":"1005389","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1005389"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2063149","reference_id":"2063149","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2063149"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23633","reference_id":"CVE-2022-23633","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-23633"},{"reference_url":"https://github.com/advisories/GHSA-wh98-p28r-vrc9","reference_id":"GHSA-wh98-p28r-vrc9","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wh98-p28r-vrc9"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9","reference_id":"GHSA-wh98-p28r-vrc9","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/security/advisories/GHSA-wh98-p28r-vrc9"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5498","reference_id":"RHSA-2022:5498","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5498"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/550785?format=json","purl":"pkg:gem/rails@6.1.0.rc1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.0.rc1"},{"url":"http://public2.vulnerablecode.io/api/packages/557387?format=json","purl":"pkg:gem/rails@7.0.0.alpha1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/60610?format=json","purl":"pkg:gem/rails@6.0.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60611?format=json","purl":"pkg:gem/rails@6.1.4.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.4.6"},{"url":"http://public2.vulnerablecode.io/api/packages/60612?format=json","purl":"pkg:gem/rails@7.0.2.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bfqq-ypyw-dycj"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-sbuv-a22t-bbe2"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.2.2"}],"aliases":["CVE-2022-23633","GHSA-wh98-p28r-vrc9"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2fra-ffky-97ce"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7199?format=json","vulnerability_id":"VCID-cuqq-33dv-xqfh","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22885.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22885","reference_id":"","reference_type":"","scores":[{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.79805","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01264","scoring_system":"epss","scoring_elements":"0.7978","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22885.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/NiQl-48cXYI"},{"reference_url":"https://hackerone.com/reports/1106652","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1106652"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4929","reference_id":"","reference_type":"","scores":[],"url":"https://www.debian.org/security/2021/dsa-4929"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957441","reference_id":"1957441","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1957441"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22885","reference_id":"CVE-2021-22885","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22885"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80875?format=json","purl":"pkg:gem/rails@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/80876?format=json","purl":"pkg:gem/rails@6.1.3.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-9t5z-1umq-qbe4"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.1"}],"aliases":["CVE-2021-22885","GHSA-hjg4-8q5f-x6fm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-cuqq-33dv-xqfh"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7224?format=json","vulnerability_id":"VCID-h52p-drh6-xfg4","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22902.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22902","reference_id":"","reference_type":"","scores":[{"value":"0.00677","scoring_system":"epss","scoring_elements":"0.71945","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00677","scoring_system":"epss","scoring_elements":"0.71906","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22902"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22902"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1c"},{"reference_url":"https://hackerone.com/reports/1138654","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1138654"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961382","reference_id":"1961382","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961382"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22902","reference_id":"CVE-2021-22902","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22902"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80875?format=json","purl":"pkg:gem/rails@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/81001?format=json","purl":"pkg:gem/rails@6.1.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-9t5z-1umq-qbe4"},{"vulnerability":"VCID-cuqq-33dv-xqfh"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-tctm-uptk-1kcx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vh3y-nfex-rkcw"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.1"}],"aliases":["CVE-2021-22902","GHSA-g8ww-46x2-2p65"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-h52p-drh6-xfg4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44410?format=json","vulnerability_id":"VCID-nhny-abkr-6qhb","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795","reference_id":"","reference_type":"","scores":[{"value":"0.01304","scoring_system":"epss","scoring_elements":"0.80125","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01304","scoring_system":"epss","scoring_elements":"0.80099","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f"},{"reference_url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0"},{"reference_url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.7.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.7.1"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799","reference_id":"2164799","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164799"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795","reference_id":"CVE-2023-22795","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22795"},{"reference_url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv","reference_id":"GHSA-8xww-x3g3-6jcv","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-8xww-x3g3-6jcv"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63886?format=json","purl":"pkg:gem/rails@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63882?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bfqq-ypyw-dycj"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22795","GHSA-8xww-x3g3-6jcv","GMS-2023-56"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-nhny-abkr-6qhb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/3349?format=json","vulnerability_id":"VCID-qe2s-6tzh-cqfv","summary":"open redirect","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json","reference_id":"","reference_type":"","scores":[{"value":"5.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22942.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942","reference_id":"","reference_type":"","scores":[{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67727","published_at":"2026-06-04T12:55:00Z"},{"value":"0.00533","scoring_system":"epss","scoring_elements":"0.67768","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c","reference_id":"","reference_type":"","scores":[{"value":"7.6","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/wB5tRn7h36c"},{"reference_url":"https://rubygems.org/gems/actionpack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/actionpack"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0005","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0005"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released"},{"reference_url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/","reference_id":"","reference_type":"","scores":[],"url":"https://weblog.rubyonrails.org/2021/8/19/Rails-6-0-4-1-and-6-1-4-1-have-been-released/"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/14/5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/14/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940","reference_id":"1995940","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1995940"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586","reference_id":"992586","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=992586"},{"reference_url":"https://security.archlinux.org/AVG-2492","reference_id":"AVG-2492","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2492"},{"reference_url":"https://security.archlinux.org/AVG-2493","reference_id":"AVG-2493","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2493"},{"reference_url":"https://access.redhat.com/security/cve/cve-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/security/cve/cve-2021-22942"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942","reference_id":"CVE-2021-22942","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22942"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml","reference_id":"CVE-2021-22942.YML","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22942.yml"},{"reference_url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c","reference_id":"GHSA-2rqw-v265-jf8c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-2rqw-v265-jf8c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/59311?format=json","purl":"pkg:gem/rails@6.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/59312?format=json","purl":"pkg:gem/rails@6.1.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.4.1"}],"aliases":["CVE-2021-22942","GHSA-2rqw-v265-jf8c"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qe2s-6tzh-cqfv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44231?format=json","vulnerability_id":"VCID-sw7t-5s3e-vkhx","summary":"ReDoS based DoS vulnerability in Action Dispatch\nThere is a possible regular expression based DoS vulnerability in Action Dispatch. Specially crafted cookies, in combination with a specially crafted `X_FORWARDED_HOST` header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22792.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792","reference_id":"","reference_type":"","scores":[{"value":"0.02264","scoring_system":"epss","scoring_elements":"0.84957","published_at":"2026-06-05T12:55:00Z"},{"value":"0.02264","scoring_system":"epss","scoring_elements":"0.84933","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-22792-possible-redos-based-dos-vulnerability-in-action-dispatch/82115"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v7.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v7.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22792.yml"},{"reference_url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007"},{"reference_url":"https://www.debian.org/security/2023/dsa-5372","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://www.debian.org/security/2023/dsa-5372"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050","reference_id":"1030050","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800","reference_id":"2164800","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164800"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792","reference_id":"CVE-2023-22792","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-22792"},{"reference_url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj","reference_id":"GHSA-p84v-45xj-wwqj","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-p84v-45xj-wwqj"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240202-0007/","reference_id":"ntap-20240202-0007","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-24T20:30:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240202-0007/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/63885?format=json","purl":"pkg:gem/rails@6.0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63886?format=json","purl":"pkg:gem/rails@6.1.7.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.1"},{"url":"http://public2.vulnerablecode.io/api/packages/63882?format=json","purl":"pkg:gem/rails@7.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-bfqq-ypyw-dycj"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.4.1"}],"aliases":["CVE-2023-22792","GHSA-p84v-45xj-wwqj","GMS-2023-58"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sw7t-5s3e-vkhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/7198?format=json","vulnerability_id":"VCID-ugdk-t2vk-nkfc","summary":"multiple issues","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22904.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904","reference_id":"","reference_type":"","scores":[{"value":"0.03338","scoring_system":"epss","scoring_elements":"0.87543","published_at":"2026-06-05T12:55:00Z"},{"value":"0.03338","scoring_system":"epss","scoring_elements":"0.87521","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22904"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.4.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.4.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v5.2.6","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v5.2.6"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.0.3.7","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.0.3.7"},{"reference_url":"https://github.com/rails/rails/releases/tag/v6.1.3.2","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/releases/tag/v6.1.3.2"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQ"},{"reference_url":"https://hackerone.com/reports/1101125","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1101125"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379","reference_id":"1961379","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1961379"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214","reference_id":"988214","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988214"},{"reference_url":"https://security.archlinux.org/AVG-1920","reference_id":"AVG-1920","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1920"},{"reference_url":"https://security.archlinux.org/AVG-1921","reference_id":"AVG-1921","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1921"},{"reference_url":"https://security.archlinux.org/AVG-2090","reference_id":"AVG-2090","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2090"},{"reference_url":"https://security.archlinux.org/AVG-2223","reference_id":"AVG-2223","reference_type":"","scores":[{"value":"Medium","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-2223"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904","reference_id":"CVE-2021-22904","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22904"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4702","reference_id":"RHSA-2021:4702","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4702"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/80875?format=json","purl":"pkg:gem/rails@6.0.3.7","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.7"},{"url":"http://public2.vulnerablecode.io/api/packages/80998?format=json","purl":"pkg:gem/rails@6.1.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-9t5z-1umq-qbe4"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.3.2"}],"aliases":["CVE-2021-22904","GHSA-7wjx-3g7j-8584"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ugdk-t2vk-nkfc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47139?format=json","vulnerability_id":"VCID-vsdb-j5zk-5kfw","summary":"Rails has possible Sensitive Session Information Leak in Active Storage\n# Possible Sensitive Session Information Leak in Active Storage\n\nThere is a possible sensitive session information leak in Active Storage.  By\ndefault, Active Storage sends a `Set-Cookie` header along with the user's\nsession cookie when serving blobs.  It also sets `Cache-Control` to public.\nCertain proxies may cache the Set-Cookie, leading to an information leak.\n\nThis vulnerability has been assigned the CVE identifier CVE-2024-26144.\n\nVersions Affected:  >= 5.2.0, < 7.1.0\nNot affected:       < 5.2.0, > 7.1.0\nFixed Versions:     7.0.8.1, 6.1.7.7\n\nImpact\n------\nA proxy which chooses to caches this request can cause users to share\nsessions. This may include a user receiving an attacker's session or vice\nversa.\n\nThis was patched in 7.1.0 but not previously identified as a security\nvulnerability.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUpgrade to Rails 7.1.X, or configure caching proxies not to cache the\nSet-Cookie headers.\n\nCredits\n-------\n\nThanks to [tyage](https://hackerone.com/tyage) for reporting this!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26144.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26144","reference_id":"","reference_type":"","scores":[{"value":"0.02363","scoring_system":"epss","scoring_elements":"0.85253","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-26144"},{"reference_url":"https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433"},{"reference_url":"https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0013","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20240510-0013"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119","reference_id":"1065119","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1065119"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266063","reference_id":"2266063","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2266063"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26144","reference_id":"CVE-2024-26144","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26144"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml","reference_id":"CVE-2024-26144.YML","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26144.yml"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml","reference_id":"CVE-2024-26144.YML","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml"},{"reference_url":"https://github.com/advisories/GHSA-8h22-8cf7-hq6g","reference_id":"GHSA-8h22-8cf7-hq6g","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8h22-8cf7-hq6g"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g","reference_id":"GHSA-8h22-8cf7-hq6g","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g"},{"reference_url":"https://security.netapp.com/advisory/ntap-20240510-0013/","reference_id":"ntap-20240510-0013","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-09T14:01:13Z/"}],"url":"https://security.netapp.com/advisory/ntap-20240510-0013/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:10806","reference_id":"RHSA-2024:10806","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:10806"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69179?format=json","purl":"pkg:gem/rails@6.1.7.7","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.7.7"},{"url":"http://public2.vulnerablecode.io/api/packages/69168?format=json","purl":"pkg:gem/rails@7.0.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@7.0.8.1"}],"aliases":["CVE-2024-26144","GHSA-8h22-8cf7-hq6g"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vsdb-j5zk-5kfw"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51361?format=json","vulnerability_id":"VCID-tctm-uptk-1kcx","summary":"Possible Open Redirect in Host Authorization Middleware\nThere is a possible open redirect vulnerability in the Host Authorization\nmiddleware in Action Pack. This vulnerability has been assigned the CVE\nidentifier CVE-2021-22881.\n\nVersions Affected:  >= 6.0.0\nNot affected:       < 6.0.0\nFixed Versions:     6.1.2.1, 6.0.3.5\n\nImpact\n------\nSpecially crafted \"Host\" headers in combination with certain \"allowed host\"\nformats can cause the Host Authorization middleware in Action Pack to redirect\nusers to a malicious website.\n\nImpacted applications will have allowed hosts with a leading dot.  For\nexample, configuration files that look like this:\n\n```\nconfig.hosts <<  '.tkte.ch'\n```\n\nWhen an allowed host contains a leading dot, a specially crafted Host header\ncan be used to redirect to a malicious website.\n\nWorkarounds\n-----------\nIn the case a patch can't be applied, the following monkey patch can be used\nin an initializer:\n\n```ruby\nmodule ActionDispatch\n  class HostAuthorization\n    private\n      def authorized?(request)\n        valid_host = /\n          \\A\n          (?<host>[a-z0-9.-]+|\\[[a-f0-9]*:[a-f0-9\\.:]+\\])\n          (:\\d+)?\n          \\z\n        /x\n\n        origin_host = valid_host.match(\n          request.get_header(\"HTTP_HOST\").to_s.downcase)\n        forwarded_host = valid_host.match(\n          request.x_forwarded_host.to_s.split(/,\\s?/).last)\n\n        origin_host && @permissions.allows?(origin_host[:host]) && (\n          forwarded_host.nil? || @permissions.allows?(forwarded_host[:host]))\n      end\n  end\nend\n```","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22881.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22881","reference_id":"","reference_type":"","scores":[{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94791","published_at":"2026-06-05T12:55:00Z"},{"value":"0.15453","scoring_system":"epss","scoring_elements":"0.94782","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22881"},{"reference_url":"https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://benjamin-bouchet.com/cve-2021-22881-faille-de-securite-dans-le-middleware-hostauthorization"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22881"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22881-possible-open-redirect-in-host-authorization-middleware/77130"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/blob/v6.1.2.1/actionpack/CHANGELOG.md"},{"reference_url":"https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/commit/b5de7b3a4787d8a55aaad39f477c16e3af65e444"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22881.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/zN_3qA26l6E"},{"reference_url":"https://hackerone.com/reports/1047447","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1047447"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3"},{"reference_url":"https://rubygems.org/gems/actionpack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://rubygems.org/gems/actionpack"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/05/05/2","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/05/05/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/08/20/1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/08/20/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/12/14/5","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/12/14/5"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1930211","reference_id":"1930211","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1930211"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22881","reference_id":"CVE-2021-22881","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22881"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79752?format=json","purl":"pkg:gem/rails@6.0.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-cuqq-33dv-xqfh"},{"vulnerability":"VCID-h52p-drh6-xfg4"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/79753?format=json","purl":"pkg:gem/rails@6.1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-9t5z-1umq-qbe4"},{"vulnerability":"VCID-cuqq-33dv-xqfh"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.2.1"}],"aliases":["CVE-2021-22881","GHSA-8877-prq4-9xfw"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tctm-uptk-1kcx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51578?format=json","vulnerability_id":"VCID-vh3y-nfex-rkcw","summary":"Possible DoS Vulnerability in Active Record PostgreSQL adapter\nThere is a possible DoS vulnerability in the PostgreSQL adapter in Active\nRecord. This vulnerability has been assigned the CVE identifier CVE-2021-22880.\n\nVersions Affected:  >= 4.2.0\nNot affected:       < 4.2.0\nFixed Versions:     6.1.2.1, 6.0.3.5, 5.2.4.5\n\nImpact\n------\nCarefully crafted input can cause the input validation in the \"money\" type of\nthe PostgreSQL adapter in Active Record to spend too much time in a regular\nexpression, resulting in the potential for a DoS attack.\n\nThis only impacts Rails applications that are using PostgreSQL along with\nmoney type columns that take user input.\n\nWorkarounds\n-----------\nIn the case a patch can't be applied, the following monkey patch can be used\nin an initializer:\n\n```\nmodule ActiveRecord\n  module ConnectionAdapters\n    module PostgreSQL\n      module OID # :nodoc:\n        class Money < Type::Decimal # :nodoc:\n          def cast_value(value)\n            return value unless ::String === value\n\n            value = value.sub(/^\\((.+)\\)$/, '-\\1') # (4)\n            case value\n            when /^-?\\D*+[\\d,]+\\.\\d{2}$/  # (1)\n              value.gsub!(/[^-\\d.]/, \"\")\n            when /^-?\\D*+[\\d.]+,\\d{2}$/  # (2)\n              value.gsub!(/[^-\\d,]/, \"\").sub!(/,/, \".\")\n            end\n\n            super(value)\n          end\n        end\n      end\n    end\n  end\nend\n```","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-22880.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22880","reference_id":"","reference_type":"","scores":[{"value":"0.02599","scoring_system":"epss","scoring_elements":"0.85889","published_at":"2026-06-04T12:55:00Z"},{"value":"0.02599","scoring_system":"epss","scoring_elements":"0.85911","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22880"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22885"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22904"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2021-22880-possible-dos-vulnerability-in-active-record-postgresql-adapter/77129"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activerecord/CVE-2021-22880.yml"},{"reference_url":"https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/g/rubyonrails-security/c/ZzUqCh9vyhI"},{"reference_url":"https://hackerone.com/reports/1023899","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1023899"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MO5OJ3F4ZL3UXVLJO6ECANRVZBNRS2IH/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XQ3NS4IBYE2I3MVMGAHFZBZBIZGHXHT3/"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210805-0009"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210805-0009/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210805-0009/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4929","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4929"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1930102","reference_id":"1930102","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1930102"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22880","reference_id":"CVE-2021-22880","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-22880"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/79751?format=json","purl":"pkg:gem/rails@5.2.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-cuqq-33dv-xqfh"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@5.2.4.5"},{"url":"http://public2.vulnerablecode.io/api/packages/79752?format=json","purl":"pkg:gem/rails@6.0.3.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-cuqq-33dv-xqfh"},{"vulnerability":"VCID-h52p-drh6-xfg4"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.5"},{"url":"http://public2.vulnerablecode.io/api/packages/79753?format=json","purl":"pkg:gem/rails@6.1.2.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2fra-ffky-97ce"},{"vulnerability":"VCID-9t5z-1umq-qbe4"},{"vulnerability":"VCID-cuqq-33dv-xqfh"},{"vulnerability":"VCID-nhny-abkr-6qhb"},{"vulnerability":"VCID-qe2s-6tzh-cqfv"},{"vulnerability":"VCID-sw7t-5s3e-vkhx"},{"vulnerability":"VCID-ugdk-t2vk-nkfc"},{"vulnerability":"VCID-uhm1-xeqs-auec"},{"vulnerability":"VCID-vsdb-j5zk-5kfw"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.1.2.1"}],"aliases":["CVE-2021-22880","GHSA-8hc4-xxm3-5ppp"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vh3y-nfex-rkcw"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rails@6.0.3.5"}