CVE-2023-22792: 
Ruby vulnerability analysis and mitigation

CVE-2023-22792 is a regular expression based Denial of Service (ReDoS) vulnerability affecting Action Dispatch in Ruby on Rails versions 3.0.0 through versions prior to 6.0.6.1, 6.1.7.1, and 7.0.4.1. The vulnerability was disclosed on January 17, 2023, and has been assigned a CVSS score of 7.5 (HIGH) (RubyRails Discussion, NetApp Security).

The vulnerability occurs when specially crafted cookies are combined with a specially crafted X_FORWARDED_HOST header, causing the regular expression engine to enter a state of catastrophic backtracking. This condition can result in the process consuming excessive CPU and memory resources (RubyRails Discussion).

When successfully exploited, this vulnerability can lead to a Denial of Service (DoS) condition, causing the affected system to experience significant performance degradation due to excessive resource consumption (NetApp Security).

Users are recommended to upgrade to the fixed versions (6.1.7.1, 7.0.4.1). For those unable to upgrade immediately, a temporary mitigation involves using a load balancer or other device to filter out malicious X_FORWARDED_HOST headers before they reach the application. Patches are available for supported release series in git-am format (RubyRails Discussion).