Total
225 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-22795 | 3 Debian, Ruby-lang, Rubyonrails | 3 Debian Linux, Ruby, Rails | 2024-02-02 | N/A | 7.5 HIGH |
| A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
| CVE-2023-22792 | 1 Rubyonrails | 1 Rails | 2024-02-02 | N/A | 7.5 HIGH |
| A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1. Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately. | |||||
| CVE-2022-23517 | 2 Debian, Rubyonrails | 2 Debian Linux, Rails Html Sanitizers | 2024-02-01 | N/A | 7.5 HIGH |
| rails-html-sanitizer is responsible for sanitizing HTML fragments in Rails applications. Certain configurations of rails-html-sanitizer < 1.4.4 use an inefficient regular expression that is susceptible to excessive backtracking when attempting to sanitize certain SVG attributes. This may lead to a denial of service through CPU resource consumption. This issue has been patched in version 1.4.4. | |||||
| CVE-2023-6159 | 1 Gitlab | 1 Gitlab | 2024-01-31 | N/A | 6.5 MEDIUM |
| An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input. | |||||
| CVE-2024-23732 | 1 Embedchain | 1 Embedchain | 2024-01-26 | N/A | 7.5 HIGH |
| The JSON loader in Embedchain before 0.1.57 allows a ReDoS (regular expression denial of service) via a long string to json.py. | |||||
| CVE-2023-28756 | 3 Debian, Fedoraproject, Ruby-lang | 4 Debian Linux, Fedora, Ruby and 1 more | 2024-01-24 | N/A | 5.3 MEDIUM |
| A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2. | |||||
| CVE-2021-41817 | 6 Debian, Fedoraproject, Opensuse and 3 more | 9 Debian Linux, Fedora, Factory and 6 more | 2024-01-24 | 5.0 MEDIUM | 7.5 HIGH |
| Date.parse in the date gem through 3.2.0 for Ruby allows ReDoS (regular expression Denial of Service) via a long string. The fixed versions are 3.2.1, 3.1.2, 3.0.2, and 2.0.1. | |||||
| CVE-2023-34104 | 1 Fast-xml-parser Project | 1 Fast-xml-parser | 2024-01-22 | N/A | 7.5 HIGH |
| fast-xml-parser is an open source, pure javascript xml parser. fast-xml-parser allows special characters in entity names, which are not escaped or sanitized. Since the entity name is used for creating a regex for searching and replacing entities in the XML body, an attacker can abuse it for denial of service (DoS) attacks. By crafting an entity name that results in an intentionally bad performing regex and utilizing it in the entity replacement step of the parser, this can cause the parser to stall for an indefinite amount of time. This problem has been resolved in v4.2.4. Users are advised to upgrade. Users unable to upgrade should avoid using DOCTYPE parsing by setting the `processEntities: false` option. | |||||
| CVE-2023-31606 | 1 Promptworks | 1 Redcloth | 2024-01-10 | N/A | 7.5 HIGH |
| A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload. | |||||
| CVE-2023-29487 | 3 Apple, Heimdalsecurity, Microsoft | 3 Macos, Thor, Windows | 2024-01-04 | N/A | 9.1 CRITICAL |
| An issue was discovered in Heimdal Thor agent versions 3.4.2 and before on Windows and 2.6.9 and before on macOS, allows attackers to cause a denial of service (DoS) via the Threat To Process Correlation threat prevention module. | |||||
| CVE-2023-29486 | 3 Apple, Heimdalsecurity, Microsoft | 3 Macos, Thor, Windows | 2023-12-29 | N/A | 9.8 CRITICAL |
| An issue was discovered in Heimdal Thor agent versions 3.4.2 and before 3.7.0 on Windows, allows attackers to bypass USB access restrictions, execute arbitrary code, and obtain sensitive information via Next-Gen Antivirus component. | |||||
| CVE-2023-50249 | 1 Sentry | 1 Astro | 2023-12-28 | N/A | 7.5 HIGH |
| Sentry-Javascript is official Sentry SDKs for JavaScript. A ReDoS (Regular expression Denial of Service) vulnerability has been identified in Sentry's Astro SDK 7.78.0-7.86.0. Under certain conditions, this vulnerability allows an attacker to cause excessive computation times on the server, leading to denial of service (DoS). This vulnerability has been patched in sentry/astro version 7.87.0. | |||||
| CVE-2022-30122 | 2 Debian, Rack Project | 2 Debian Linux, Rack | 2023-12-20 | N/A | 7.5 HIGH |
| A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. | |||||
| CVE-2023-48631 | 1 Adobe | 1 Css-tools | 2023-12-18 | N/A | 7.5 HIGH |
| @adobe/css-tools versions 4.3.1 and earlier are affected by an Improper Input Validation vulnerability that could result in a denial of service while attempting to parse CSS. | |||||
| CVE-2022-44572 | 1 Rack Project | 1 Rack | 2023-12-08 | N/A | 7.5 HIGH |
| A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. | |||||
| CVE-2022-44571 | 1 Rack Project | 1 Rack | 2023-12-08 | N/A | 7.5 HIGH |
| There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. | |||||
| CVE-2022-44570 | 1 Rack Project | 1 Rack | 2023-12-08 | N/A | 7.5 HIGH |
| A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. | |||||
| CVE-2023-46402 | 1 Git-urls Project | 1 Git-urls | 2023-11-28 | N/A | 7.5 HIGH |
| git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go. | |||||
| CVE-2023-45806 | 1 Discourse | 1 Discourse | 2023-11-17 | N/A | 5.4 MEDIUM |
| Discourse is an open source platform for community discussion. Prior to version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches, if a user has been quoted and uses a `|` in their full name, they might be able to trigger a bug that generates a lot of duplicate content in all the posts they've been quoted by updating their full name again. Version 3.1.3 of the `stable` branch and version 3.2.0.beta3 of the `beta` and `tests-passed` branches contain a patch for this issue. No known workaround exists, although one can stop the "bleeding" by ensuring users only use alphanumeric characters in their full name field. | |||||
| CVE-2023-39619 | 1 Teomantuncer | 1 Node Email Check | 2023-11-07 | N/A | 7.5 HIGH |
| ReDos in NPMJS Node Email Check v.1.0.4 allows an attacker to cause a denial of service via a crafted string to the scpSyntax component. | |||||