Vulnerability Details : CVE-2023-22799
A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully crafted input can cause the regular expression engine to take an unexpected amount of time. All users running an affected release should either upgrade or use one of the workarounds immediately.
Vulnerability category: Denial of service
Products affected by CVE-2023-22799
- cpe:2.3:a:rubyonrails:globalid:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-22799
1.41%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 79 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-22799
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2023-22799
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: support@hackerone.com (Secondary)
-
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.Assigned by: nvd@nist.gov (Primary)
References for CVE-2023-22799
-
https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
[CVE-2023-22799] Possible ReDoS based DoS vulnerability in GlobalID - Security Announcements - Ruby on Rails DiscussionsPatch;Vendor Advisory
Jump to