CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
AI Score
Confidence
Low
EPSS
Percentile
83.0%
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
Vendor | Product | Version | CPE |
---|---|---|---|
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:* |
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:* |
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:* |
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:* |
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:* |
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:* |
rubyonrails | rails | 3.0.0 | cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:* |
rubyonrails | rails | 3.0.1 | cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:* |
rubyonrails | rails | 3.0.1 | cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:* |
rubyonrails | rails | 3.0.2 | cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:* |