CVE-2012-3424 — Improper Authentication in Project Actionpack

CWE-287 — Improper Authentication9 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

1.0%

top 23.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Actionpack Project Actionpack Rubyonrails Rails Rubyonrails Ruby ON Rails

Timeline

PublishedAug 8

Latest updateOct 24

Description

The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶NVDrubyonrails/rails29 versions+28

▶NVDrubyonrails/ruby_on_rails3.0.4

▶RubyGemsactionpack_project/actionpack3.0.0.beta — 3.0.16+3

🔴Vulnerability Details

OSV

actionpack Improper Authentication vulnerability↗2017-10-24

▶

GHSA

actionpack Improper Authentication vulnerability↗2017-10-24

▶

CVEList

CVE-2012-3424: The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication↗2012-08-08

▶

📋Vendor Advisories

Red Hat

rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest↗2012-07-26

▶

Debian

CVE-2012-3424: rails - The decode_credentials method in actionpack/lib/action_controller/metal/http_aut...↗2012

▶

💬Community

Bugzilla

CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest [fedora-all]↗2012-07-27

▶

Bugzilla

CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest↗2012-07-27

▶

Bugzilla

CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest [epel-5]↗2012-07-27

▶