Skip to content

CVE-2019-5419 (High) detected in rails-4.1.0.gem #36

Open
Open
CVE-2019-5419 (High) detected in rails-4.1.0.gem#36
Labels
security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-bolt-for-github

Description

@mend-bolt-for-github
mend-bolt-for-github
bot
opened on Apr 19, 2020

CVE-2019-5419 - High Severity Vulnerability

Vulnerable Library - rails-4.1.0.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

Library home page: https://rubygems.org/gems/rails-4.1.0.gem

Path to vulnerable library: /app1/Gemfile.lock,ms/2.5.0/cache/rails-4.1.0.gem

Dependency Hierarchy:

  • rails-4.1.0.gem (Vulnerable Library)

Found in HEAD commit: 9d946faa10e3050193fb56220287f7565773de83

Vulnerability Details

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Publish Date: 2019-03-27

URL: CVE-2019-5419

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/

Release Date: 2019-01-04

Fix Resolution: 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions