Описание
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
It was found that WEBrick could be forced to use an excessive amount of memory during the processing of HTTP requests, leading to a Denial of Service. An attacker could use this flaw to send huge requests to a WEBrick application, resulting in the server running out of memory.
Отчет
This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | rh-ruby22-ruby | Affected | ||
| CloudForms Management Engine 5 | ruby-200-ruby | Affected | ||
| Red Hat Enterprise Linux 5 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 6 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 8 | ruby | Not affected | ||
| Red Hat Software Collections | rh-ruby22-ruby | Will not fix | ||
| Red Hat Subscription Asset Manager | ruby193-ruby | Will not fix | ||
| Red Hat Enterprise Linux 7 | ruby | Fixed | RHSA-2019:2028 | 06.08.2019 |
| Red Hat Enterprise Linux 7.4 Advanced Update Support | ruby | Fixed | RHSA-2020:0591 | 25.02.2020 |
| Red Hat Enterprise Linux 7.4 Telco Extended Update Support | ruby | Fixed | RHSA-2020:0591 | 25.02.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x b ...
In Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1, an attacker can pass a large HTTP request with a crafted header to WEBrick server or a crafted body to WEBrick server/handler and cause a denial of service (memory consumption).
Уязвимость библиотеки WEBrick интерпретатора языка программирования Ruby, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
7.5 High
CVSS3