GHSA-9h6g-gp95-x3q5

Source

https://github.com/advisories/GHSA-9h6g-gp95-x3q5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9h6g-gp95-x3q5/GHSA-9h6g-gp95-x3q5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9h6g-gp95-x3q5

Aliases

CVE-2015-7581

Published

2017-10-24T18:33:36Z

Modified

2024-02-16T08:25:25.786006Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

actionpack is vulnerable to denial of service because of a wildcard controller route

Details

actionpack/lib/actiondispatch/routing/routeset.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.

References

Affected packages

RubyGems / actionpack

Package

Name: actionpack
Purl: pkg:gem/actionpack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.2.5.1

Affected versions

4.*

4.0.0

4.0.1.rc1

4.0.1.rc2

4.0.1.rc3

4.0.1.rc4

4.0.1

4.0.2

4.0.3

4.0.4.rc1

4.0.4

4.0.5

4.0.6.rc1

4.0.6.rc2

4.0.6.rc3

4.0.6

4.0.7

4.0.8

4.0.9

4.0.10.rc1

4.0.10.rc2

4.0.10

4.0.11

4.0.11.1

4.0.12

4.0.13.rc1

4.0.13

4.1.0.beta1

4.1.0.beta2

4.1.0.rc1

4.1.0.rc2

4.1.0

4.1.1

4.1.2.rc1

4.1.2.rc2

4.1.2.rc3

4.1.2

4.1.3

4.1.4

4.1.5

4.1.6.rc1

4.1.6.rc2

4.1.6

4.1.7

4.1.7.1

4.1.8

4.1.9.rc1

4.1.9

4.1.10.rc1

4.1.10.rc2

4.1.10.rc3

4.1.10.rc4

4.1.10

4.1.11

4.1.12.rc1

4.1.12

4.1.13.rc1

4.1.13

4.1.14.rc1

4.1.14.rc2

4.1.14

4.1.14.1

4.1.14.2

4.1.15.rc1

4.1.15

4.1.16.rc1

4.1.16

4.2.0.beta1

4.2.0.beta2

4.2.0.beta3

4.2.0.beta4

4.2.0.rc1

4.2.0.rc2

4.2.0.rc3

4.2.0

4.2.1.rc1

4.2.1.rc2

4.2.1.rc3

4.2.1.rc4

4.2.1

4.2.2

4.2.3.rc1

4.2.3

4.2.4.rc1

4.2.4

4.2.5.rc1

4.2.5.rc2

4.2.5

Database specific

{
    "last_known_affected_version_range": "<= 4.2.5.0"
}