RubySec

Providing security resources for the Ruby community

CVE-2014-0082 (actionpack): CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 5.0

UNAFFECTED VERSIONS

  • >= 4.0.0

PATCHED VERSIONS

  • >= 3.2.17

DESCRIPTION

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.