CVE-2016-0751 High Severity Vulnerability detected by WhiteSource

Question

CVE-2016-0751 High Severity Vulnerability detected by WhiteSource

mend-bolt-for-github opened this issue 5 years ago · comments

mend-bolt-for-github commented 5 years ago

CVE-2016-0751 - High Severity Vulnerability

Vulnerable Library - rails-4.2.5.gem

Ruby on Rails is a full-stack web framework optimized for programmer happiness and sustainable productivity. It encourages beautiful code by favoring convention over configuration.

path: /gems/2.3.0/cache/rails-4.2.5.gem

Library home page: https://rubygems.org/gems/rails-4.2.5.gem

Dependency Hierarchy:

❌ rails-4.2.5.gem (Vulnerable Library)

Vulnerability Details

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

Publish Date: 2016-02-16

URL: CVE-2016-0751

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1034816

Fix Resolution: The vendor has issued a fix (3.2.22.1, 4.1.14.1, 4.2.5.1; rails-html-sanitizer 1.0.3).

The vendor's advisory is available at:

http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/

Step up your Open Source Security Game with WhiteSource here

Vlad Arbatov · Answer 1 · Sun Feb 24 2019 16:22:02 GMT+0800 (China Standard Time)

Fixed ffe23b0