CVE-2016-0751Allocation of Resources Without Limits or Throttling in Project Actionpack

CWE-399CWE-770Allocation of Resources Without Limits or Throttling10 documents8 sources
Severity
7.5HIGHNVD
EPSS
6.1%
top 9.16%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActionpack Project ActionpackRubyonrails Ruby ON Rails
Timeline
PublishedFeb 16
Latest updateOct 24

Description

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

RubyGemsactionpack_project/actionpack4.2.04.2.5.1+2
Debianrubyonrails/rails< 2:4.2.5.1-1+3
NVDrubyonrails/rails31 versions+30

🔴Vulnerability Details

4
OSV
actionpack is vulnerable to denial of service via a crafted HTTP Accept header2017-10-24
GHSA
actionpack is vulnerable to denial of service via a crafted HTTP Accept header2017-10-24
CVEList
CVE-2016-0751: actionpack/lib/action_dispatch/http/mime_type2016-02-16
OSV
CVE-2016-0751: actionpack/lib/action_dispatch/http/mime_type2016-02-16

📋Vendor Advisories

3
Apple
CVE-2016-0751: macOS Server 5.32017-03-27
Red Hat
rubygem-actionpack: possible object leak and denial of service attack in Action Pack2016-01-25
Debian
CVE-2016-0751: rails - actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails...2016

💬Community

2
Bugzilla
CVE-2016-0751 rubygem-actionpack: Possible Object Leak and Denial of Service attack in Action Pack [fedora-all]2016-01-26
Bugzilla
CVE-2016-0751 rubygem-actionpack: possible object leak and denial of service attack in Action Pack2016-01-26
CVE-2016-0751 — Project Actionpack vulnerability | cvebase