Vulnerability CVE-2019-16201
Published: 2019-11-26   Modified: 2019-11-29

Description:
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

Type:

CWE-287

 (Improper Authentication)

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete
Affected software
Ruby-lang -> RUBY 
Debian -> Debian linux 

 References:
https://hackerone.com/reports/661722
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
https://seclists.org/bugtraq/2019/Dec/31
https://seclists.org/bugtraq/2019/Dec/32
https://www.debian.org/security/2019/dsa-4587
Copyright 2024, cxsecurity.com

 

Back to Top