Red Hat Customer Portal

Skip to main content

CVE-2012-3424

The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.

Details Source

Mitre

Public Date

2012-07-26 00:00:00

Impact

Low

Bugzilla

CVE-2012-3424 rubygem-actionpack: DoS vulnerability in authenticate_or_request_with_http_digest

Bugzilla ID

843 711

CVSS Status

verified

Base Score

4.30

Base Metrics

AV:N/AC:M/Au:N/C:N/I:N/A:P

Red Hat Security Errata

Platform Errata Release Date
Red Hat OpenShift Enterprise Client Tools RHSA-2013:0582 2013-02-28
Red Hat Subscription Asset Manager 1.1 (rubygem-actionpack) RHSA-2013:0154 2013-01-10
Red Hat CloudForms System Engine 1 (rubygem-actionpack) RHSA-2012:1542 2012-12-04
Red Hat CloudForms Cloud Engine 1 (rubygem-actionpack) RHSA-2012:1542 2012-12-04

Affected Packages State

Platform Package State
Red Hat CloudForms Tools 1 rubygem-actionpack Affected