-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-47888.yml
49 lines (40 loc) · 1.46 KB
/
CVE-2024-47888.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
---
gem: actiontext
framework: rails
cve: 2024-47888
ghsa: wwhv-wxv9-rpgw
url: https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
title: Possible ReDoS vulnerability in plain_text_for_blockquote_node
in Action Text
date: 2024-10-15
description: |
There is a possible ReDoS vulnerability in the
plain_text_for_blockquote_node helper in Action Text. This
vulnerability has been assigned the CVE identifier CVE-2024-47888.
## Impact
Carefully crafted text can cause the plain_text_for_blockquote_node
helper to take an unexpected amount of time, possibly resulting
in a DoS vulnerability. All users running an affected release should
either upgrade or apply the relevant patch immediately.
Ruby 3.2 has mitigations for this problem, so Rails applications
using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends
on Ruby 3.2 or greater so is unaffected.
## Releases
The fixed releases are available at the normal locations.
## Workarounds
Users can avoid calling `plain_text_for_blockquote_node` or
upgrade to Ruby 3.2.
## Credits
Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
unaffected_versions:
- "< 6.0.0"
patched_versions:
- "~> 6.1.7.9"
- "~> 7.0.8.5"
- "~> 7.1.4, >= 7.1.4.1"
- ">= 7.2.1.1"
related:
url:
- https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
- https://hackerone.com/reports/2792776
- https://github.com/advisories/GHSA-wwhv-wxv9-rpgw