Описание
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat CloudForms Tools 1 | rubygem-actionpack | Affected | ||
| CloudForms for RHEL 6 | converge-ui-devel | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | puppet | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-actionpack | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-activerecord | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-activesupport | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-chunky_png | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-compass | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-compass-960-plugin | Fixed | RHSA-2012:1542 | 04.12.2012 |
| CloudForms for RHEL 6 | rubygem-delayed_job | Fixed | RHSA-2012:1542 | 04.12.2012 |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS2
Связанные уязвимости
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method. There is a DoS vulnerability in Action Pack digest authentication handling in Rails.
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
The decode_credentials method in actionpack/lib/action_controller/meta ...
EPSS
4.3 Medium
CVSS2