Lucene search

K

GoogleOSV:GHSA-FFPV-C4HM-3X6V

HistoryOct 24, 2017 - 6:33 p.m.

actionpack is vulnerable to denial of service via a crafted HTTP Accept header

2017-10-2418:33:35

Google

osv.dev

6

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

84.3%

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

CPENameOperatorVersion
actionpackeq3.1.0.rc2
actionpackeq3.1.1.rc1
actionpackeq3.2.6
actionpackeq4.0.6.rc1
actionpackeq4.2.5.rc2
actionpackeq3.2.14.rc2
actionpackeq3.2.20
actionpackeq4.0.4.rc1
actionpackeq2.0.5
actionpackeq3.0.19

Rows per page:

1-10 of 2501

References

lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html

lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html

lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html

lists.opensuse.org/opensuse-updates/2016-02/msg00034.html

lists.opensuse.org/opensuse-updates/2016-02/msg00043.html

rhn.redhat.com/errata/RHSA-2016-0296.html

www.debian.org/security/2016/dsa-3464

www.openwall.com/lists/oss-security/2016/01/25/9

github.com/rails/rails

github.com/rails/rails/commit/127967b735813cd4f263df7a50426d74e7e9cc17

github.com/rails/rails/commit/221937c8ba1d291430ceddebbd4bdef7d3cb47d6

github.com/rails/rails/commit/37047b779a177b911c7161052cfc34a30e1db0af

github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0751.yml

groups.google.com/forum/#!topic/rubyonrails-security/9oLY_FCzvoc

groups.google.com/forum/message/raw?msg=ruby-security-ann/9oLY_FCzvoc/5CDXbvpYEgAJ

nvd.nist.gov/vuln/detail/CVE-2016-0751

web.archive.org/web/20160128201702/www.securitytracker.com/id/1034816

web.archive.org/web/20200227181647/www.securityfocus.com/bid/81800

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.011 Low

EPSS

Percentile

84.3%

Related for OSV:GHSA-FFPV-C4HM-3X6V

prion1 cve1 debiancve1 ubuntucve1 github1 rubygems1 apple2 openvas7 nessus8 fedora3 debian2 redhat3 ibm1 freebsd1 osv1 suse1