RubySec

Providing security resources for the Ruby community

CVE-2012-3424 (actionpack): Ruby on Rails actionpack/lib/action_controller/metal/http_authentication.rb with_http_digest Helper Method Remote DoS

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 5.0

UNAFFECTED VERSIONS

  • >= 2.3.5, <= 2.3.14

PATCHED VERSIONS

  • ~> 3.0.16
  • ~> 3.1.7
  • >= 3.2.7

DESCRIPTION

Ruby on Rails contains a flaw that may allow a remote denial of service. The issue is triggered when an error occurs in actionpack/lib/action_controller/metal/http_authentication.rb when the with_http_digest helper method is being used. This may allow a remote attacker to cause a loss of availability for the program.