5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.009 Low
EPSS
Percentile
82.8%
The decode_credentials method in
actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on
Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7
converts Digest Authentication strings to symbols, which allows remote
attackers to cause a denial of service by leveraging access to an
application that uses a with_http_digest helper method, as demonstrated by
the authenticate_or_request_with_http_digest method.
There is a DoS vulnerability in Action Pack digest authentication handling in
Rails.
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
tyhicks | 3.x.x, before 3.0.16, 3.1.7, and 3.2.7, is affected |