GHSA-9h6g-gp95-x3q5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9h6g-gp95-x3q5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-9h6g-gp95-x3q5/GHSA-9h6g-gp95-x3q5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9h6g-gp95-x3q5
- Aliases
- Published
- 2017-10-24T18:33:36Z
- Modified
- 2024-11-29T05:40:56.038460Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- actionpack is vulnerable to denial of service because of a wildcard controller route
- Details
-
actionpack/lib/actiondispatch/routing/routeset.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.
- Database specific
{ "cwe_ids": [], "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:28:45Z", "severity": "HIGH", "nvd_published_at": "2016-02-16T02:59:04Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2015-7581
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7581.yml
- https://groups.google.com/forum/#!topic/rubyonrails-security/dthJ5wL69JE
- https://groups.google.com/forum/message/raw?msg=ruby-security-ann/dthJ5wL69JE/IdvCimtZEgAJ
- https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81677
- https://web.archive.org/web/20200516093752/http://www.securitytracker.com/id/1034816
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
- http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
- http://rhn.redhat.com/errata/RHSA-2016-0296.html
- http://www.debian.org/security/2016/dsa-3464
- http://www.openwall.com/lists/oss-security/2016/01/25/16
Affected packages
RubyGems / actionpack
Package
- Name
- actionpack
- Purl
- pkg:gem/actionpack
Affected versions
4.*
4.0.0
4.0.1.rc1
4.0.1.rc2
4.0.1.rc3
4.0.1.rc4
4.0.1
4.0.2
4.0.3
4.0.4.rc1
4.0.4
4.0.5
4.0.6.rc1
4.0.6.rc2
4.0.6.rc3
4.0.6
4.0.7
4.0.8
4.0.9
4.0.10.rc1
4.0.10.rc2
4.0.10
4.0.11
4.0.11.1
4.0.12
4.0.13.rc1
4.0.13
4.1.0.beta1
4.1.0.beta2
4.1.0.rc1
4.1.0.rc2
4.1.0
4.1.1
4.1.2.rc1
4.1.2.rc2
4.1.2.rc3
4.1.2
4.1.3
4.1.4
4.1.5
4.1.6.rc1
4.1.6.rc2
4.1.6
4.1.7
4.1.7.1
4.1.8
4.1.9.rc1
4.1.9
4.1.10.rc1
4.1.10.rc2
4.1.10.rc3
4.1.10.rc4
4.1.10
4.1.11
4.1.12.rc1
4.1.12
4.1.13.rc1
4.1.13
4.1.14.rc1
4.1.14.rc2
4.1.14
4.1.14.1
4.1.14.2
4.1.15.rc1
4.1.15
4.1.16.rc1
4.1.16
4.2.0.beta1
4.2.0.beta2
4.2.0.beta3
4.2.0.beta4
4.2.0.rc1
4.2.0.rc2
4.2.0.rc3
4.2.0
4.2.1.rc1
4.2.1.rc2
4.2.1.rc3
4.2.1.rc4
4.2.1
4.2.2
4.2.3.rc1
4.2.3
4.2.4.rc1
4.2.4
4.2.5.rc1
4.2.5.rc2
4.2.5