ADVISORIES
- CVE-2012-3424 (NVD)
- GHSA-92w9-2pqw-rhjj
- OSVDB-84243
GEM
FRAMEWORK
SEVERITY
CVSS v2.0: 5.0 (Medium)
UNAFFECTED VERSIONS
- >= 2.3.5, <= 2.3.14
PATCHED VERSIONS
- ~> 3.0.16
- ~> 3.1.7
- >= 3.2.7
DESCRIPTION
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.