Connect with sales  +1 877-586-1965

By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2024-26142

Denial of Service
Affects
Ruby on Rails Framework
7.1.0.0 to 7.1.3.0
in
Rails
No items found.
Exclamation circle icon
Patch Available
This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs
View NES Solution

Ruby on Rails (often called Rails) is a web application framework written in Ruby that emphasizes convention over configuration and the principle of "don't repeat yourself" (DRY). It provides developers with a structured and efficient way to build database-backed web applications through pre-built patterns for rapid development. 

This exploit allows a malicious attacker to execute system resources (“denial of service”) via a regular-expression exploit.

The Open Web Application Security Project (OWASP) explains that denial of service (DoS) attacks aim to make a service “unavailable for the purpose it was designed.” 

Details

Module Info

  • Product: Ruby on Rails Framework
  • Affected packages: actionview
  • GitHub repository:
    https://github.com/rails/rails/tree/main/actionview
  • Published package: The individual actionview gem or the entire Rails Framework gem (which includes actionview).
  • Package manager: gem

Vulnerability Info

Steps to Reproduce

1. Install a version of Rails that contains this vulnerability, such as 3.2.18:

gem install rails -v 3.2.18
rails _3.2.18_ new cve_test_app
cd cve_test_app
bundle install

2. Create a vulnerable controller:

rails generate controller Home index

3. Implement vulnerable code in app/controllers/home_controller.rb:

class HomeController < ApplicationController
  def index
    redirect_to params[:url] if params[:url].present?
  end
end

4. Configure the route in config/routes.rb, ensure the root path is set:

Rails.application.routes.draw do
  root "home#index"
end

5. Start the server:

rails server

6. Send a carefully crafted URL:

curl -i "http://localhost:3000/?url=%0Ajavascript:alert(1)"

7. Observe the behavior:

• If the app redirects to javascript:alert(1), it is vulnerable.

• Some browsers may block the redirect, but older versions or certain contexts might allow it.

Addressing the Issue

Although upgrading Rails is the best way to address this issue, upgrading to Ruby 3.2 is another viable option because it prevents this type of exploit.

Credits

Mitigation

Users of affected versions of Ruby on Rails should follow one of the following mitigations:

  • Upgrade to a corrected version.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2012-2695
CVE-2013-0156
CVE-2013-0277
CVE-2014-3483
CVE-2015-7581
CVE-2016-2098
CVE-2019-5418
CVE-2019-5420
CVE-2019-5418
CVE-2020-8159
CVE-2020-8165
CVE-2020-8162
CVE-2020-8163
CVE-2020-8161
CVE-2022-21831
CVE-2022-30123
CVE-2023-22794
CVE-2024-26142
CVE-2014-3482
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2024-26142
PROJECT Affected
Ruby on Rails Framework
Versions Affected
7.1.0.0 to 7.1.3.0
Published date
February 27, 2024
≈ Fix date
February 27, 2024
Fixed in
Ruby on Rails NES
Severity
High
Category
Denial of Service
Sign up for the latest vulnerability alerts fixed in
Ruby on Rails NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.