Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: actionpack
date: 2016-01-25
url: https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
cve: 2015-7581
title: Object leak vulnerability for wildcard controller routes in Action Pack
description: "There is an object leak vulnerability for wildcard controllers in Action
  Pack. \nThis vulnerability has been assigned the CVE identifier CVE-2015-7581. \n\nVersions
  Affected:  >= 4.0.0 and < 5.0.0.beta1 \nNot affected:       < 4.0.0, 5.0.0.beta1
  and newer \nFixed Versions:     4.2.5.1, 4.1.14.1 \n\nImpact \n------ \nUsers that
  have a route that contains the string \":controller\" are susceptible \nto objects
  being leaked globally which can lead to unbounded memory growth. \nTo identify if
  your application is vulnerable, look for routes that contain \n\":controller\".
  \n\nInternally, Action Pack keeps a map of \"url controller name\" to \"controller
  \nclass name\".  This map is cached globally, and is populated even if the \ncontroller
  class doesn't actually exist. \n\nAll users running an affected release should either
  upgrade or use one of the \nworkarounds immediately. \n\nReleases \n-------- \nThe
  FIXED releases are available at the normal locations. \n\nWorkarounds \n-----------
  \nThere are no feasible workarounds for this issue. \n\nPatches \n------- \nTo aid
  users who aren't able to upgrade immediately we have provided patches for the two
  supported release series.  They are in git-am format and consist of a single changeset.
  \n\n* 4-1-wildcard_route.patch - Patch for 4.1 series \n* 4-2-wildcard_route.patch
  - Patch for 4.2 series \n\nPlease note that only the 4.1.x and 4.2.x series are
  supported at present.  Users of earlier unsupported releases are advised to upgrade
  as soon as possible as we cannot guarantee the continued availability of security
  fixes for unsupported releases.\n"
unaffected_versions:
- "< 4.0.0"
- ">= 5.0.0.beta1"
patched_versions:
- "~> 4.2.5, >= 4.2.5.1"
- "~> 4.1.14, >= 4.1.14.1"