GHSA-92w9-2pqw-rhjj

Source

https://github.com/advisories/GHSA-92w9-2pqw-rhjj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-92w9-2pqw-rhjj/GHSA-92w9-2pqw-rhjj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-92w9-2pqw-rhjj

Aliases

CVE-2012-3424

Published

2017-10-24T18:33:38Z

Modified

2024-11-30T05:28:53.649629Z

Summary

actionpack Improper Authentication vulnerability

Details

The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.

Database specific

{
    "nvd_published_at": "2012-08-08T10:26:19Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:27:14Z"
}

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.16

Affected versions

0.*

0.9.0

0.9.5

1.*

1.0.0

1.0.1

1.1.0

1.2.0

1.3.0

1.3.1

1.4.0

1.5.0

1.5.1

1.6.0

1.7.0

1.8.0

1.8.1

1.9.0

1.9.1

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

2.*

2.0.0

2.0.1

2.0.2

2.0.4

2.0.5

2.1.0

2.1.1

2.1.2

2.2.2

2.2.3

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8.pre1

2.3.8

2.3.9.pre

2.3.9

2.3.10

2.3.11

2.3.12

2.3.14

2.3.15

2.3.16

2.3.17

2.3.18

3.*

3.0.0.beta

3.0.0.beta2

3.0.0.beta3

3.0.0.beta4

3.0.0.rc

3.0.0.rc2

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4.rc1

3.0.4

3.0.5.rc1

3.0.5

3.0.6.rc1

3.0.6.rc2

3.0.6

3.0.7.rc1

3.0.7.rc2

3.0.7

3.0.8.rc1

3.0.8.rc2

3.0.8.rc4

3.0.8

3.0.9.rc1

3.0.9.rc3

3.0.9.rc4

3.0.9.rc5

3.0.9

3.0.10.rc1

3.0.10

3.0.11

3.0.12.rc1

3.0.12

3.0.13.rc1

3.0.13

3.0.14

3.0.15

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.1.7

Affected versions

3.*

3.1.0

3.1.1.rc1

3.1.1.rc2

3.1.1.rc3

3.1.1

3.1.2.rc1

3.1.2.rc2

3.1.2

3.1.3

3.1.4.rc1

3.1.4

3.1.5.rc1

3.1.5

3.1.6

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.2.0

Fixed

3.2.7

Affected versions

3.*

3.2.0

3.2.1

3.2.2.rc1

3.2.2

3.2.3.rc1

3.2.3.rc2

3.2.3

3.2.4.rc1

3.2.4

3.2.5

3.2.6

3.2.7.rc1