CVE-2016-0751 – actionpack

Package

Manager: gem
Name: actionpack
Vulnerable Version: >=4.2.0 <4.2.5.1 || >=0 <3.2.22.1 || >=4.0.0 <4.1.14.1

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.06145 pctl0.90447

Details

actionpack is vulnerable to denial of service via a crafted HTTP Accept header actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

Metadata

Created: 2017-10-24T18:33:35Z
Modified: 2023-07-31T21:08:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-ffpv-c4hm-3x6v/GHSA-ffpv-c4hm-3x6v.json
CWE IDs: []
Alternative ID: GHSA-ffpv-c4hm-3x6v
Finding: F002
Auto approve: 1