CVE-2015-7581Allocation of Resources Without Limits or Throttling in Project Actionpack

CWE-399CWE-770Allocation of Resources Without Limits or Throttling10 documents8 sources
Severity
7.5HIGHNVD
EPSS
7.1%
top 8.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsActionpack Project Actionpack
Timeline
PublishedFeb 16
Latest updateOct 24

Description

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

RubyGemsactionpack_project/actionpack4.0.04.2.5.1
Debianrubyonrails/rails< 2:4.2.5.1-1+3
NVDrubyonrails/rails27 versions+26

🔴Vulnerability Details

4
OSV
actionpack is vulnerable to denial of service because of a wildcard controller route2017-10-24
GHSA
actionpack is vulnerable to denial of service because of a wildcard controller route2017-10-24
OSV
CVE-2015-7581: actionpack/lib/action_dispatch/routing/route_set2016-02-16
CVEList
CVE-2015-7581: actionpack/lib/action_dispatch/routing/route_set2016-02-16

📋Vendor Advisories

2
Red Hat
rubygem-actionpack: Object leak vulnerability for wildcard controller routes in Action Pack2016-01-25
Debian
CVE-2015-7581: rails - actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Ra...2015

💬Community

3
HackerOne
DoS Attack in Controller Lookup Code2016-03-13
Bugzilla
CVE-2015-7581 rubygem-actionpack: Object leak vulnerability for wildcard controller routes in Action Pack [fedora-all]2016-01-26
Bugzilla
CVE-2015-7581 rubygem-actionpack: Object leak vulnerability for wildcard controller routes in Action Pack2016-01-26
CVE-2015-7581 — Project Actionpack vulnerability | cvebase