RubySec

Providing security resources for the Ruby community

CVE-2021-22904 (actionpack): Possible DoS Vulnerability in Action Controller Token Authentication

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

UNAFFECTED VERSIONS

  • < 4.0.0

PATCHED VERSIONS

  • ~> 5.2.4.6
  • ~> 5.2.6
  • ~> 6.0.3.7
  • >= 6.1.3.2

DESCRIPTION

There is a possible DoS vulnerability in the Token Authentication logic in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2021-22904.

Versions Affected: >= 4.0.0 Not affected: < 4.0.0 Fixed Versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6

Impact

Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication. Impacted code will look something like this:

class PostsController < ApplicationController
  before_action :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_token do |token, options|
      # ...
    end
  end
end

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module ActionController::HttpAuthentication::Token
  AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/
end