CVE-2021-22904: Uncontrolled Resource Consumption

June 11, 2021 (updated September 20, 2021)

The actionpack ruby gem suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication.

References

hackerone.com/reports/1101125
nvd.nist.gov/vuln/detail/CVE-2021-22904
security.netapp.com/advisory/ntap-20210805-0009/

Code Behaviors & Features

Detect and mitigate CVE-2021-22904 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →