{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-26142","title":"Title"},{"category":"description","text":"Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-26142","url":"https://www.suse.com/security/cve/CVE-2024-26142"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1220517 for CVE-2024-26142","url":"https://bugzilla.suse.com/1220517"}],"title":"SUSE CVE CVE-2024-26142","tracking":{"current_release_date":"2025-10-07T00:38:28Z","generator":{"date":"2024-02-29T03:37:15Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-26142","initial_release_date":"2024-02-29T03:37:15Z","revision_history":[{"date":"2024-02-29T03:37:15Z","number":"2","summary":"Current version"},{"date":"2025-01-01T01:27:02Z","number":"3","summary":"Current version"},{"date":"2025-01-04T01:30:38Z","number":"4","summary":"Current version"},{"date":"2025-02-14T05:24:54Z","number":"5","summary":"Current version"},{"date":"2025-02-16T05:17:51Z","number":"6","summary":"Current version"},{"date":"2025-03-15T05:29:41Z","number":"7","summary":"Current version"},{"date":"2025-04-24T14:53:14Z","number":"8","summary":"Current version"},{"date":"2025-10-07T00:38:28Z","number":"9","summary":"Current version"}],"status":"interim","version":"9"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp2"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP3","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP3","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP4","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP5","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp5"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 8","product":{"name":"SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:8"}}},{"category":"product_name","name":"SUSE OpenStack Cloud Crowbar 9","product":{"name":"SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9","product_identification_helper":{"cpe":"cpe:/o:suse:suse-openstack-cloud-crowbar:9"}}},{"category":"product_version","name":"ruby2.1-rubygem-actionpack-4_2","product":{"name":"ruby2.1-rubygem-actionpack-4_2","product_id":"ruby2.1-rubygem-actionpack-4_2","product_identification_helper":{"purl":"pkg:rpm/suse/ruby2.1-rubygem@actionpack-4_2"}}},{"category":"product_version","name":"ruby2.5-rubygem-actionpack-5_1","product":{"name":"ruby2.5-rubygem-actionpack-5_1","product_id":"ruby2.5-rubygem-actionpack-5_1","product_identification_helper":{"purl":"pkg:rpm/suse/ruby2.5-rubygem@actionpack-5_1"}}},{"category":"product_version","name":"rubygem-actionpack-4_2","product":{"name":"rubygem-actionpack-4_2","product_id":"rubygem-actionpack-4_2","product_identification_helper":{"purl":"pkg:rpm/suse/rubygem@actionpack-4_2"}}},{"category":"product_version","name":"rubygem-actionpack-5_1","product":{"name":"rubygem-actionpack-5_1","product_id":"rubygem-actionpack-5_1","product_identification_helper":{"purl":"pkg:rpm/suse/rubygem@actionpack-5_1"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP2","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP2"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP3","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP3","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP3:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionpack-5_1"},"product_reference":"ruby2.5-rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-5_1 as component of SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5:rubygem-actionpack-5_1"},"product_reference":"rubygem-actionpack-5_1","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2"},"product_reference":"ruby2.1-rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 8","product_id":"SUSE OpenStack Cloud Crowbar 8:rubygem-actionpack-4_2"},"product_reference":"rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 8"},{"category":"default_component_of","full_product_name":{"name":"ruby2.1-rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-actionpack-4_2"},"product_reference":"ruby2.1-rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"},{"category":"default_component_of","full_product_name":{"name":"rubygem-actionpack-4_2 as component of SUSE OpenStack Cloud Crowbar 9","product_id":"SUSE OpenStack Cloud Crowbar 9:rubygem-actionpack-4_2"},"product_reference":"rubygem-actionpack-4_2","relates_to_product_reference":"SUSE OpenStack Cloud Crowbar 9"}]},"vulnerabilities":[{"cve":"CVE-2024-26142","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2024-26142"}],"notes":[{"category":"general","text":"Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP2:rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP3:rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP4:rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionpack-5_1","SUSE Linux Enterprise High Availability Extension 15 SP5:rubygem-actionpack-5_1","SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 8:rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-actionpack-4_2","SUSE OpenStack Cloud Crowbar 9:rubygem-actionpack-4_2"]},"references":[{"category":"external","summary":"CVE-2024-26142","url":"https://www.suse.com/security/cve/CVE-2024-26142"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1220517 for CVE-2024-26142","url":"https://bugzilla.suse.com/1220517"}],"threats":[{"category":"impact","date":"2024-02-27T18:00:11Z","details":"important"}],"title":"CVE-2024-26142"}]}