actionpack is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability exists in the if_none_match_etags
function of cache.rb
due to inefficient regular expression complexity which allows an attacker to crash the application. The vulnerability only applies to ruby < 3.2.0.
discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
github.com/advisories/GHSA-8xww-x3g3-6jcv
github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
github.com/rails/rails/releases/tag/v6.1.7.1
github.com/rails/rails/releases/tag/v7.0.4.1
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
www.debian.org/security/2023/dsa-5372