Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZmcHYtYzRobS0zeDZ2

High EPSS: 0.01233% (0.78637 Percentile) EPSS:
Permalink JSON

actionpack is vulnerable to denial of service via a crafted HTTP Accept header

Affected Packages Affected Versions Fixed Versions
rubygems:actionpack
PURL: pkg:gem/actionpack
>= 4.0.0, <= 4.1.14.0, <= 3.2.22.0, >= 4.2.0, <= 4.2.5.0 4.1.14.1, 3.2.22.1, 4.2.5.1
1,688 Dependent packages
876,080 Dependent repositories
709,511,963 Downloads total

Affected Version Ranges

All affected versions

0.9.0, 0.9.5, 1.0.0, 1.0.1, 1.1.0, 1.2.0, 1.3.0, 1.3.1, 1.4.0, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.8.0, 1.8.1, 1.9.0, 1.9.1, 1.10.1, 1.10.2, 1.11.0, 1.11.1, 1.11.2, 1.12.0, 1.12.1, 1.12.2, 1.12.3, 1.12.4, 1.12.5, 1.13.0, 1.13.1, 1.13.2, 1.13.3, 1.13.4, 1.13.5, 1.13.6, 2.0.0, 2.0.1, 2.0.2, 2.0.4, 2.0.5, 2.1.0, 2.1.1, 2.1.2, 2.2.2, 2.2.3, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.14, 2.3.15, 2.3.16, 2.3.17, 2.3.18, 3.0.0, 3.0.1, 3.0.10.rc1, 3.0.12.rc1, 3.0.13.rc1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.2.0, 3.2.1, 3.2.13.rc1, 3.2.13.rc2, 3.2.14.rc1, 3.2.14.rc2, 3.2.15.rc1, 3.2.15.rc2, 3.2.15.rc3, 4.0.0, 4.0.1, 4.0.10.rc1, 4.0.10.rc2, 4.0.11.1, 4.0.13.rc1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.0.8, 4.0.9, 4.0.10, 4.0.11, 4.0.12, 4.0.13, 4.1.0, 4.1.10.rc1, 4.1.10.rc2, 4.1.10.rc3, 4.1.10.rc4, 4.1.12.rc1, 4.1.13.rc1, 4.2.0, 4.2.1, 4.2.10.rc1, 4.2.11.1, 4.2.11.2, 4.2.11.3, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.2.6, 4.2.7, 4.2.8, 4.2.9, 4.2.10, 4.2.11, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.10, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.1.0, 8.1.1

All unaffected versions

3.2.2, 3.2.22.1, 3.2.22.2, 3.2.22.3, 3.2.22.4, 3.2.22.5, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13, 3.2.14, 3.2.15, 3.2.16, 3.2.17, 3.2.18, 3.2.19, 3.2.20, 3.2.21, 3.2.22, 4.1.1, 4.1.14.1, 4.1.14.2, 4.1.14.rc1, 4.1.14.rc2, 4.1.15.rc1, 4.1.16.rc1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.1.9, 4.1.10, 4.1.11, 4.1.12, 4.1.13, 4.1.14, 4.1.15, 4.1.16

actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.

References:

Identifiers

GHSA-ffpv-c4hm-3x6v

CVE-2016-0751

Risk

Severity

High

EPSS

EPSS Percentage: 0.01233

EPSS Percentile: 0.78637

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/rails/rails

Date and time

Published

about 8 years ago

Updated

over 2 years ago

API

JSON