The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb
in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts
Digest Authentication strings to symbols, which allows remote attackers to cause
a denial of service by leveraging access to an application that uses a with_http_digest
helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | lt | 2.3.5 | |
actionpack | le | 2.3.14 | |
actionpack | le | 3.0.15 | |
actionpack | ge | 3.1.0 | |
actionpack | le | 3.1.6 | |
actionpack | ge | 3.2.0 | |
actionpack | lt | 3.2.7 |