CVE-2013-6414 — Improper Input Validation in Project Actionpack

CWE-20 — Improper Input Validation CWE-400 — Uncontrolled Resource Consumption9 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

70.8%

top 1.30%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Actionpack Project Actionpack Rubyonrails Rails Rubyonrails Ruby ON Rails

Timeline

PublishedDec 7

Latest updateOct 24

Description

actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to cause a denial of service (memory consumption) via a header containing an invalid MIME type that leads to excessive caching.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶RubyGemsactionpack_project/actionpack3.0.0 — 3.2.16+1

▶NVDrubyonrails/rails4.0.1+47

▶NVDrubyonrails/ruby_on_rails3.2.15+4

Patches

Patch: weblog.rubyonrails.org ↗Patch: weblog.rubyonrails.org ↗

🔴Vulnerability Details

GHSA

actionpack Improper Input Validation vulnerability↗2017-10-24

▶

OSV

actionpack Improper Input Validation vulnerability↗2017-10-24

▶

CVEList

CVE-2013-6414: actionpack/lib/action_view/lookup_context↗2013-12-07

▶

OSV

CVE-2013-6414: actionpack/lib/action_view/lookup_context↗2013-12-07

▶

📋Vendor Advisories

Red Hat

rubygem-actionpack: Action View DoS↗2013-12-03

▶

Debian

CVE-2013-6414: rails - actionpack/lib/action_view/lookup_context.rb in Action View in Ruby on Rails 3.x...↗2013

▶

💬Community

Bugzilla

CVE-2014-6414 openstack-neutron: Admin-only network attributes may be reset to defaults by non-privileged users↗2014-09-16

▶

Bugzilla

CVE-2013-6414 rubygem-actionpack: Action View DoS↗2013-12-02

▶