gsd-2019-5419
Vulnerability from gsd
Modified
2019-03-13 00:00
Details
There is a potential denial of service vulnerability in actionview.
This vulnerability has been assigned the CVE identifier CVE-2019-5419.
Impact
------
Specially crafted accept headers can cause the Action View template location
code to consume 100% CPU, causing the server unable to process requests. This
impacts all Rails applications that render views.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Workarounds
-----------
This vulnerability can be mitigated by wrapping `render` calls with
`respond_to` blocks. For example, the following example is vulnerable:
```
class UserController < ApplicationController
def index
render "index"
end
end
```
But the following code is not vulnerable:
```
class UserController < ApplicationController
def index
respond_to |format|
format.html { render "index" }
end
end
end
```
Implicit rendering is impacted, so this code is vulnerable:
```
class UserController < ApplicationController
def index
end
end
```
But can be changed this this:
```
class UserController < ApplicationController
def index
respond_to |format|
format.html { render "index" }
end
end
end
```
Alternatively to specifying the format, the following monkey patch can be
applied in an initializer:
```
$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true
ActionDispatch::Request.prepend(Module.new do
def formats
super().select do |format|
format.symbol || format.ref == "*/*"
end
end
end)
```
Credits
-------
Thanks to John Hawthorn <john@hawthorn.email> of GitHub
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-5419",
"description": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.",
"id": "GSD-2019-5419",
"references": [
"https://www.suse.com/security/cve/CVE-2019-5419.html",
"https://access.redhat.com/errata/RHSA-2019:1289",
"https://access.redhat.com/errata/RHSA-2019:1149",
"https://access.redhat.com/errata/RHSA-2019:1147",
"https://access.redhat.com/errata/RHSA-2019:0796"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionview",
"purl": "pkg:gem/actionview"
}
}
],
"aliases": [
"CVE-2019-5419",
"GHSA-m63j-wh5w-c252"
],
"details": "There is a potential denial of service vulnerability in actionview.\nThis vulnerability has been assigned the CVE identifier CVE-2019-5419.\n\nImpact\n------\nSpecially crafted accept headers can cause the Action View template location\ncode to consume 100% CPU, causing the server unable to process requests. This\nimpacts all Rails applications that render views.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nThis vulnerability can be mitigated by wrapping `render` calls with\n`respond_to` blocks. For example, the following example is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n def index\n render \"index\"\n end\nend\n```\n\nBut the following code is not vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n def index\n respond_to |format|\n format.html { render \"index\" }\n end\n end\nend\n```\n\nImplicit rendering is impacted, so this code is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n def index\n end\nend\n```\n\nBut can be changed this this:\n\n```\nclass UserController \u003c ApplicationController\n def index\n respond_to |format|\n format.html { render \"index\" }\n end\n end\nend\n```\n\nAlternatively to specifying the format, the following monkey patch can be\napplied in an initializer:\n\n```\n$ cat config/initializers/formats_filter.rb\n# frozen_string_literal: true\n\nActionDispatch::Request.prepend(Module.new do\n def formats\n super().select do |format|\n format.symbol || format.ref == \"*/*\"\n end\n end\nend)\n```\n\nCredits\n-------\nThanks to John Hawthorn \u003cjohn@hawthorn.email\u003e of GitHub\n",
"id": "GSD-2019-5419",
"modified": "2019-03-13T00:00:00.000Z",
"published": "2019-03-13T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Denial of Service Vulnerability in Action View"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2019-5419",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/rails/rails",
"version": {
"version_data": [
{
"version_value": "5.2.2.1"
},
{
"version_value": "5.1.6.2"
},
{
"version_value": "5.0.7.2"
},
{
"version_value": "4.2.11.1"
}
]
}
}
]
},
"vendor_name": "Rails"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
"refsource": "CONFIRM",
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI",
"refsource": "CONFIRM",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
},
{
"name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"name": "RHSA-2019:0796",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"name": "openSUSE-SU-2019:1344",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"name": "FEDORA-2019-1cfe24db5c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"name": "RHSA-2019:1149",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"name": "RHSA-2019:1147",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"name": "RHSA-2019:1289",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
},
{
"name": "openSUSE-SU-2019:1527",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
},
{
"name": "openSUSE-SU-2019:1824",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2019-5419",
"cvss_v3": 7.5,
"date": "2019-03-13",
"description": "There is a potential denial of service vulnerability in actionview.\nThis vulnerability has been assigned the CVE identifier CVE-2019-5419.\n\nImpact\n------\nSpecially crafted accept headers can cause the Action View template location\ncode to consume 100% CPU, causing the server unable to process requests. This\nimpacts all Rails applications that render views.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nThis vulnerability can be mitigated by wrapping `render` calls with\n`respond_to` blocks. For example, the following example is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n def index\n render \"index\"\n end\nend\n```\n\nBut the following code is not vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n def index\n respond_to |format|\n format.html { render \"index\" }\n end\n end\nend\n```\n\nImplicit rendering is impacted, so this code is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n def index\n end\nend\n```\n\nBut can be changed this this:\n\n```\nclass UserController \u003c ApplicationController\n def index\n respond_to |format|\n format.html { render \"index\" }\n end\n end\nend\n```\n\nAlternatively to specifying the format, the following monkey patch can be\napplied in an initializer:\n\n```\n$ cat config/initializers/formats_filter.rb\n# frozen_string_literal: true\n\nActionDispatch::Request.prepend(Module.new do\n def formats\n super().select do |format|\n format.symbol || format.ref == \"*/*\"\n end\n end\nend)\n```\n\nCredits\n-------\nThanks to John Hawthorn \u003cjohn@hawthorn.email\u003e of GitHub\n",
"framework": "rails",
"gem": "actionview",
"ghsa": "m63j-wh5w-c252",
"patched_versions": [
"\u003e= 6.0.0.beta3",
"~\u003e 5.2.2, \u003e= 5.2.2.1",
"~\u003e 5.1.6, \u003e= 5.1.6.2",
"~\u003e 5.0.7, \u003e= 5.0.7.2",
"~\u003e 4.2.11, \u003e= 4.2.11.1"
],
"title": "Denial of Service Vulnerability in Action View",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.2.11.1||\u003e=5.0.0 \u003c5.0.7.2||\u003e=5.1.0 \u003c5.1.6.2||\u003e=5.2.0 \u003c5.2.2.1",
"affected_versions": "All versions before 4.2.11.1, all versions starting from 5.0.0 before 5.0.7.2, all versions starting from 5.1.0 before 5.1.6.2, all versions starting from 5.2.0 before 5.2.2.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-770",
"CWE-937"
],
"date": "2020-10-16",
"description": "There is a possible denial of service vulnerability in Action View (Rails) where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.",
"fixed_versions": [
"4.2.11.1",
"5.0.7.2",
"5.1.6.2",
"5.2.2.1"
],
"identifier": "CVE-2019-5419",
"identifiers": [
"CVE-2019-5419"
],
"not_impacted": "All versions starting from 4.2.11.1 before 5.0.0, all versions starting from 5.0.7.2 before 5.1.0, all versions starting from 5.1.6.2 before 5.2.0",
"package_slug": "gem/actionview",
"pubdate": "2019-03-27",
"solution": "Upgrade to versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1 or above.",
"title": "Allocation of Resources Without Limits or Throttling",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-5419"
],
"uuid": "3fd68dd9-fcbf-445f-9763-9cc29bde17f7"
},
{
"affected_range": "\u003c4.2.11.1||\u003e=5.0.0 \u003c5.0.7.2||\u003e=5.1.0 \u003c5.1.6.2||\u003e=5.2.0 \u003c5.2.2.1",
"affected_versions": "All versions before 4.2.11.1, all versions starting from 5.0.0 before 5.0.7.2, all versions starting from 5.1.0 before 5.1.6.2, all versions starting from 5.2.0 before 5.2.2.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-770",
"CWE-937"
],
"date": "2019-06-07",
"description": "There is a possible denial of service vulnerability in Action View (Rails) where specially crafted `Accept` headers can cause action view to consume 100% cpu and make the server unresponsive.",
"fixed_versions": [
"4.2.11.1",
"5.0.7.2",
"5.1.6.2",
"5.2.2.1"
],
"identifier": "CVE-2019-5419",
"identifiers": [
"CVE-2019-5419"
],
"not_impacted": "All versions starting from 4.2.11.1 before 5.0.0, all versions starting from 5.0.7.2 before 5.1.0, all versions starting from 5.1.6.2 before 5.2.0, all versions starting from 5.2.2.1",
"package_slug": "gem/rails",
"pubdate": "2019-03-27",
"solution": "Upgrade to versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2019-5419"
],
"uuid": "03fb9fd8-0566-4b25-9a50-9918b3798ff4"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "4.2.11.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.7.2",
"versionStartIncluding": "5.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.1.6.2",
"versionStartIncluding": "5.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "5.2.2.1",
"versionStartIncluding": "5.2.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2019-5419"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
},
{
"name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
},
{
"name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
"refsource": "MLIST",
"tags": [
"Exploit",
"Mailing List",
"Mitigation",
"Patch",
"Third Party Advisory"
],
"url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
},
{
"name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
},
{
"name": "RHSA-2019:0796",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:0796"
},
{
"name": "openSUSE-SU-2019:1344",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
},
{
"name": "FEDORA-2019-1cfe24db5c",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
},
{
"name": "RHSA-2019:1149",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1149"
},
{
"name": "RHSA-2019:1147",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1147"
},
{
"name": "RHSA-2019:1289",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1289"
},
{
"name": "openSUSE-SU-2019:1527",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
},
{
"name": "openSUSE-SU-2019:1824",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "COMPLETE",
"baseScore": 7.8,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-10-16T19:02Z",
"publishedDate": "2019-03-27T14:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…