CVE-2021-22904: 
Ruby vulnerability analysis and mitigation

The actionpack ruby gem before versions 6.1.3.2, 6.0.3.7, 5.2.4.6, and 5.2.6 contains a denial of service vulnerability (CVE-2021-22904) in the Token Authentication logic in Action Controller. The vulnerability is caused by a too permissive regular expression in the authentication mechanism. The issue affects code that uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication (Ruby Rails Discussion).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This indicates that the vulnerability can be exploited remotely with low attack complexity, requires no privileges or user interaction, and can result in high impact on system availability (NVD).

Successful exploitation of this vulnerability could lead to a Denial of Service (DoS) condition in applications using the affected token authentication functionality. The vulnerability affects the availability of the system while maintaining no impact on confidentiality or integrity (Ubuntu Security).

A temporary workaround can be implemented by placing the following monkey patch in an initializer: module ActionController::HttpAuthentication::Token AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/ end. For a permanent fix, users should upgrade to the fixed versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, or 5.2.6 (Ruby Rails Discussion).