actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

The version of macOS Server (formerly known as Mac OS X Server) installed on the remote host is prior to 5.3. It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists in the Apache     HTTP server when handling a saturation of partial HTTP     requests. An unauthenticated, remote attacker can     exploit this to crash the daemon. (CVE-2007-6750)

  - A denial of service vulnerability exists in Action Pack     in Ruby on Rails due to improper restrictions on the use     of the MIME type cache when handling specially crafted     HTTP accept headers. An unauthenticated, remote attacker     can exploit this to cause the cache to grow     indefinitely. (CVE-2016-0751)

  - An information disclosure vulnerability exists in the     Wiki Server component due to improper checking of     unspecified permissions. An unauthenticated, remote can     exploit this to enumerate users. (CVE-2017-2382)

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails :

CVE-2015-7576

A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication.
Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.

CVE-2016-0751

A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service.

CVE-2016-0752

A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code.

CVE-2016-2097

Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

CVE-2016-2098

If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit.

CVE-2016-6316

Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.6-6+deb7u3.

We recommend that you upgrade your ruby-actionpack-3.2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2015-7581 Security fix for CVE-2016-0751 Security fix for CVE-2015-7576

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2015-7581 CVE-2015-7576 CVE-2016-0751 CVE-2016-0752 CVE-2016-0753

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for rubygem-actionpack-3_2, rubygem-activesupport-3_2 fixes the following issues :

  - CVE-2015-7576: Timing attack vulnerability in basic     authentication in Action Controller (boo#963329)

  - CVE-2016-0752: directory traversal and information leak     in Action View (boo#963332)

  - CVE-2016-0751: rubygem-actionpack: Object Leak DoS     (boo#963331)

  - CVE-2015-7577: Nested attributes rejection proc bypass     (boo#963330)

This update for rubygem-actionpack-4_2, rubygem-actionview-4_2, rubygem-activemodel-4_2, rubygem-activerecord-4_2, rubygem-activesupport-4_2 fixes the following issues :

  - CVE-2015-7576: Timing attack vulnerability in basic     authentication in Action Controller (boo#963329)

  - CVE-2016-0752: directory traversal and information leak     in Action View (boo#963332)

  - CVE-2015-7581: unbounded memory growth DoS via wildcard     controller routes (boo#963335)

  - CVE-2016-0751: rubygem-actionpack: Object Leak DoS     (boo#963331)

  - CVE-2016-0753: Input Validation Circumvention     (boo#963334)

  - CVE-2015-7577: Nested attributes rejection proc bypass     (boo#963330)

Ruby on Rails blog :

Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible.

Multiple security issues have been discovered in the Ruby on Rails web application development framework, which may result in denial of service, cross-site scripting, information disclosure or bypass of input validation.

ID	Name	Product	Family	Severity
99128	macOS : macOS Server < 5.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	high
93132	Debian DLA-604-1 : ruby-actionpack-3.2 security update	Nessus	Debian Local Security Checks	high
89640	Fedora 23 : rubygem-actionpack-4.2.3-4.fc23 (2016-f486068393)	Nessus	Fedora Local Security Checks	high
89583	Fedora 22 : rubygem-actionpack-4.2.0-3.fc22 / rubygem-activemodel-4.2.0-2.fc22 (2016-94e71ee673)	Nessus	Fedora Local Security Checks	high
88613	openSUSE Security Update : rubygem-actionpack-3_2 / rubygem-activesupport-3_2 (openSUSE-2016-160)	Nessus	SuSE Local Security Checks	high
88612	openSUSE Security Update : rubygem-actionpack-4_2 / rubygem-actionview-4_2 / rubygem-activemodel-4_2 / etc (openSUSE-2016-159)	Nessus	SuSE Local Security Checks	high
88532	FreeBSD : rails -- multiple vulnerabilities (bb0ef21d-0e1b-461b-bc3d-9cba39948888)	Nessus	FreeBSD Local Security Checks	high
88499	Debian DSA-3464-1 : rails - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2016-0751

high

Tenable Plugins

high

high

high

high

high

high

high

high