Vulnerability CVE-2019-5419


Published: 2019-03-27

Description:
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Type:

CWE-400

(Uncontrolled Resource Consumption ('Resource Exhaustion'))

Vendor: Debian
Product: Debian linux 
Version: 8.0;
Vendor: Rubyonrails
Product: Rails 
Version:
5.2.2
5.2.1.1
5.2.1
5.2.0
5.1.6.1
5.1.6
5.1.5
5.1.4
5.1.3
5.1.2
5.1.1
5.1.0
5.0.7.1
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
5.0.1
5.0.0.1
5.0.0
4.2.9
4.2.8
4.2.7.1
4.2.7
4.2.6
4.2.5.2
4.2.5.1
4.2.5
4.2.4
4.2.3
4.2.2
4.2.11
4.2.10
4.2.1
4.2.0
4.1.9
4.1.8
4.1.7.1
4.1.7
4.1.6
4.1.5
4.1.4
4.1.3
4.1.2
4.1.16
4.1.15
4.1.14.2
4.1.14.1
4.1.14
4.1.13
4.1.12
4.1.11
4.1.10
4.1.1
4.1.0
4.0.9
4.0.8
4.0.7
4.0.6
4.0.5
4.0.4
4.0.3
4.0.2
4.0.13
4.0.12
4.0.11.1
4.0.11
4.0.10
4.0.1
4.0.0
3.2.9
3.2.8
3.2.7
3.2.6
3.2.5
3.2.4
3.2.3
3.2.22.5
3.2.22.4
3.2.22.3
3.2.22.2
3.2.22.1
3.2.22
3.2.21
3.2.20
3.2.2
3.2.19
3.2.18
3.2.17
3.2.16
3.2.15
3.2.14
3.2.13
3.2.12
3.2.11
3.2.10
See more versions on NVD
Vendor: Redhat
Product: Cloudforms 
Version: 4.7;

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.8/10
6.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Complete

 References:
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
http://www.openwall.com/lists/oss-security/2019/03/22/1
https://access.redhat.com/errata/RHSA-2019:0796
https://access.redhat.com/errata/RHSA-2019:1147
https://access.redhat.com/errata/RHSA-2019:1149
https://access.redhat.com/errata/RHSA-2019:1289
https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/

Related CVE
CVE-2014-8167
vdsm and vdsclient does not validate certficate hostname from another vdsm which could facilitate a man-in-the-middle attack
CVE-2014-3655
JBoss KeyCloak is vulnerable to soft token deletion via CSRF
CVE-2014-3592
OpenShift Origin: Improperly validated team names could allow stored XSS attacks
CVE-2010-3857
JBoss BRMS before 5.1.0 has a XSS vulnerability via asset=UUID parameter.
CVE-2014-3599
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2011-2897
gdk-pixbuf through 2.31.1 has GIF loader buffer overflow when initializing decompression tables due to an input validation flaw
CVE-2019-14860
It was found that the Syndesis configuration for Cross-Origin Resource Sharing was set to allow all origins. An attacker could use this lack of protection to conduct phishing attacks and further access unauthorized information.
CVE-2019-14824
A flaw was found in the 'deref' plugin of 389-ds-base where it could use the 'search' permission to display attribute values. In some configurations, this could allow an authenticated attacker to view private attributes, such as password hashes.

Copyright 2019, cxsecurity.com

 

Back to Top