CVE-2016-0751
Summary
| CVE | CVE-2016-0751 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2016-02-16 02:59:00 UTC |
| Updated | 2019-08-08 15:43:00 UTC |
| Description | actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header. |
Risk And Classification
Problem Types: CWE-399
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Rubyonrails | Rails | 4.0.0 | - | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | beta | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | - | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc4 | All | All |
| Application | Rubyonrails | Rails | 4.0.10 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.10 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.2 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.3 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.4 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.5 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.0.7 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.8 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.9 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.0 | - | All | All |
| Application | Rubyonrails | Rails | 4.1.0 | beta1 | All | All |
| Application | Rubyonrails | Rails | 4.1.1 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.10 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.12 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.13 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.1.3 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.4 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.5 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.6 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.1.7 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.8 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.9 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta1 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta2 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta3 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta4 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc4 | All | All |
| Application | Rubyonrails | Rails | 4.2.2 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.3 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.3 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.4 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.4 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.5 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.5 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.5 | rc2 | All | All |
| Application | Rubyonrails | Rails | 5.0.0 | beta1 | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | - | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | beta | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.0 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | - | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.0.1 | rc4 | All | All |
| Application | Rubyonrails | Rails | 4.0.10 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.10 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.2 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.3 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.4 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.5 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.0.6 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.0.7 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.8 | All | All | All |
| Application | Rubyonrails | Rails | 4.0.9 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.0 | - | All | All |
| Application | Rubyonrails | Rails | 4.1.0 | beta1 | All | All |
| Application | Rubyonrails | Rails | 4.1.1 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.10 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.12 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.13 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.1.2 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.1.3 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.4 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.5 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.6 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.1.7 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.8 | All | All | All |
| Application | Rubyonrails | Rails | 4.1.9 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta1 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta2 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta3 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | beta4 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.2.0 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc2 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc3 | All | All |
| Application | Rubyonrails | Rails | 4.2.1 | rc4 | All | All |
| Application | Rubyonrails | Rails | 4.2.2 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.3 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.3 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.4 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.4 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.5 | All | All | All |
| Application | Rubyonrails | Rails | 4.2.5 | rc1 | All | All |
| Application | Rubyonrails | Rails | 4.2.5 | rc2 | All | All |
| Application | Rubyonrails | Rails | 5.0.0 | beta1 | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.10 | rc2 | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.11 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.11.1 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.12 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.13 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.13 | rc1 | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.1.11 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.10 | rc2 | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.11 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.11.1 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.12 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.13 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.0.13 | rc1 | All | All |
| Application | Rubyonrails | Ruby On Rails | 4.1.11 | All | All | All |
| Application | Rubyonrails | Ruby On Rails | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian -- Security Information -- DSA-3464-1 rails | DEBIAN | www.debian.org | |
| Ruby on Rails Action Pack CVE-2016-0751 Denial of Service Vulnerability | BID | www.securityfocus.com | |
| [ruby-security-ann] 20160125 [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack | MLIST | groups.google.com | |
| Rails Multiple Bugs Let Remote Users Determine Passwords, Modify Records, Bypass Security Restrictions, Deny Service, and Conduct Cross-Site Scripting Attacks - SecurityTracker | SECTRACK | www.securitytracker.com | |
| [SECURITY] Fedora 23 Update: rubygem-actionpack-4.2.3-4.fc23 | FEDORA | lists.fedoraproject.org | |
| [security-announce] SUSE-SU-2016:1146-1: important: Security update for | SUSE | lists.opensuse.org | |
| openSUSE-SU-2016:0372-1: moderate: Security update for rubygem-actionpac | SUSE | lists.opensuse.org | |
| oss-security - [CVE-2016-0751] Possible Object Leak and Denial of Service attack in Action Pack | MLIST | www.openwall.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| [SECURITY] Fedora 22 Update: rubygem-activemodel-4.2.0-2.fc22 | FEDORA | lists.fedoraproject.org | |
| openSUSE-SU-2016:0363-1: moderate: Security update for rubygem-actionpac | SUSE | lists.opensuse.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.