CVE-2014-0082 — Improper Input Validation in Project Actionpack

CWE-20 — Improper Input Validation9 documents7 sources

Severity

5.0MEDIUMNVD

EPSS

6.5%

top 8.90%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Actionpack Project Actionpack Rubyonrails Ruby ON Rails

Timeline

PublishedFeb 20

Latest updateOct 24

Description

actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

▶RubyGemsactionpack_project/actionpack3.0.0 — 3.2.17

▶Debianrubyonrails/rails< 2.3.14.1+3

▶NVDrubyonrails/ruby_on_rails3.2.16+3

▶NVDrubyonrails/rails46 versions+45

🔴Vulnerability Details

OSV

actionpack Improper Input Validation vulnerability↗2017-10-24

▶

GHSA

actionpack Improper Input Validation vulnerability↗2017-10-24

▶

CVEList

CVE-2014-0082: actionpack/lib/action_view/template/text↗2014-02-20

▶

OSV

CVE-2014-0082: actionpack/lib/action_view/template/text↗2014-02-20

▶

📋Vendor Advisories

Red Hat

rubygem-actionpack: Action View string handling denial of service↗2014-02-18

▶

Debian

CVE-2014-0082: rails - actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x ...↗2014

▶

💬Community

Bugzilla

CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service [fedora-19]↗2014-02-18

▶

Bugzilla

CVE-2014-0082 rubygem-actionpack: Action View string handling denial of service↗2014-02-14

▶