Improper Authentication in ruby

Do your applications use this vulnerable package? Test your applications

Overview

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

References

Bugtraq Mailing List
Bugtraq Mailing List
CVE Details
Debian Security Advisory
Debian Security Announcement
Debian Security Announcement
Debian Security Tracker
GENTOO
HackerOne Report
MISC
MLIST
SUSE
Ubuntu CVE Tracker

Attack Vector

Network
Attack Complexity

Low
Privileges Required

None
User Interaction

None
Scope

Unchanged
Confidentiality

None
Integrity

None
Availability

High

CVE: CVE-2019-16201
CWE: CWE-287
Snyk ID: SNYK-ALPINE38-RUBY-503491
Disclosed: 26 Nov, 2019
Published: 13 Nov, 2019

Improper Authentication
Affecting ruby package, versions <2.5.7-r0

Overview

References

CVSS Score

Improper Authentication Affecting ruby package, versions <2.5.7-r0

Overview

References

Improper Authentication
Affecting ruby package, versions <2.5.7-r0