CVE-2019-5419 (GCVE-0-2019-5419)

Vulnerability from cvelistv5 – Published: 2019-03-27 13:43 – Updated: 2024-08-04 19:54

Summary

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Severity ?

No CVSS data available.

CWE

CWE-400 - Denial of Service (CWE-400)

Assigner

hackerone

References

URL

	Vendor	Product	Version
	Rails	https://github.com/rails/rails	Affected: 5.2.2.1 Affected: 5.1.6.2 Affected: 5.0.7.2 Affected: 4.2.11.1

FKIE_CVE-2019-5419

Vulnerability from fkie_nvd - Published: 2019-03-27 14:29 - Updated: 2024-11-21 04:44

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
support@hackerone.com	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html	Mailing List, Third Party Advisory
support@hackerone.com	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html	Mailing List, Third Party Advisory
support@hackerone.com	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html	Mailing List, Third Party Advisory
support@hackerone.com	http://www.openwall.com/lists/oss-security/2019/03/22/1	Exploit, Mailing List, Mitigation, Patch, Third Party Advisory
support@hackerone.com	https://access.redhat.com/errata/RHSA-2019:0796	Third Party Advisory
support@hackerone.com	https://access.redhat.com/errata/RHSA-2019:1147	Third Party Advisory
support@hackerone.com	https://access.redhat.com/errata/RHSA-2019:1149	Third Party Advisory
support@hackerone.com	https://access.redhat.com/errata/RHSA-2019:1289	Third Party Advisory
support@hackerone.com	https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI
support@hackerone.com	https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html	Mailing List, Third Party Advisory
support@hackerone.com	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
support@hackerone.com	https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2019/03/22/1	Exploit, Mailing List, Mitigation, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:0796	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:1147	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:1149	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://access.redhat.com/errata/RHSA-2019:1289	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
af854a3a-2127-422b-91ae-364da2661108	https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/	Patch, Third Party Advisory

Impacted products

Vendor	Product	Version
rubyonrails	rails	*
rubyonrails	rails	*
rubyonrails	rails	*
rubyonrails	rails	*
debian	debian_linux	8.0
redhat	cloudforms	4.6
redhat	cloudforms	4.7
redhat	software_collections	1.0
opensuse	leap	15.0
opensuse	leap	15.1
fedoraproject	fedora	30

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF9998D1-8C7B-4402-930B-C370824D46AA",
              "versionEndExcluding": "4.2.11.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5DCD16B7-B3E7-4EE4-B8B1-B25FBE75EFFF",
              "versionEndExcluding": "5.0.7.2",
              "versionStartIncluding": "5.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "EF0BA3C0-E2A4-4FE1-B443-308B7EFA32F2",
              "versionEndExcluding": "5.1.6.2",
              "versionStartIncluding": "5.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F248A4DE-4B0C-4E4C-AB38-C08F90B197F8",
              "versionEndExcluding": "5.2.2.1",
              "versionStartIncluding": "5.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "67F7263F-113D-4BAE-B8CB-86A61531A2AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "04AC556D-D511-4C4C-B9FB-A089BB2FEFD5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9D7EE4B6-A6EC-4B9B-91DF-79615796673F",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
              "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
    },
    {
      "lang": "es",
      "value": "Hay una posible vulnerabilidad de denegaci\u00f3n de servicio (DoS) en la vista de acci\u00f3n en Rails, en versiones anteriores a las 5.2.2.1, 5.1.6.2, 5.0.7.2 y 4.2.11.1 donde las cabeceras de aceptaci\u00f3n especialmente manipuladas pueden provocar que dicha vista consuma el 100 % de la CPU y haga que el servidor deje de responder."
    }
  ],
  "id": "CVE-2019-5419",
  "lastModified": "2024-11-21T04:44:54.017",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.8,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2019-03-27T14:29:01.657",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Exploit",
        "Mailing List",
        "Mitigation",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0796"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1147"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1149"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1289"
    },
    {
      "source": "support@hackerone.com",
      "url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
    },
    {
      "source": "support@hackerone.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Mailing List",
        "Mitigation",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:0796"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1147"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1149"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2019:1289"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "support@hackerone.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-770"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CERTFR-2019-AVI-111

Vulnerability from certfr_avis - Published: 2019-03-14 - Updated: 2019-03-26

De multiples vulnérabilités ont été découvertes dans Ruby On Rails. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service et une atteinte à la confidentialité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Ruby on Rails	Ruby on Rails	Ruby On Rails versions 5.0.x antérieures à 5.0.7.2
Ruby on Rails	Ruby on Rails	Ruby On Rails versions 4.2.x antérieures à 4.2.11.1
Ruby on Rails	Ruby on Rails	Ruby On Rails versions 5.2.x antérieures à 5.2.2.1
Ruby on Rails	Ruby on Rails	Ruby On Rails versions 5.1.x antérieures à 5.1.6.2
Ruby on Rails	Ruby on Rails	Ruby On Rails versions 6.0.0.x antérieures à 6.0.0.beta3

References

Title

Publication Time

GSD-2019-5419

Vulnerability from gsd - Updated: 2019-03-13 00:00

Details

There is a potential denial of service vulnerability in actionview. This vulnerability has been assigned the CVE identifier CVE-2019-5419. Impact ------ Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ----------- This vulnerability can be mitigated by wrapping `render` calls with `respond_to` blocks. For example, the following example is vulnerable: ``` class UserController < ApplicationController def index render "index" end end ``` But the following code is not vulnerable: ``` class UserController < ApplicationController def index respond_to |format| format.html { render "index" } end end end ``` Implicit rendering is impacted, so this code is vulnerable: ``` class UserController < ApplicationController def index end end ``` But can be changed this this: ``` class UserController < ApplicationController def index respond_to |format| format.html { render "index" } end end end ``` Alternatively to specifying the format, the following monkey patch can be applied in an initializer: ``` $ cat config/initializers/formats_filter.rb # frozen_string_literal: true ActionDispatch::Request.prepend(Module.new do def formats super().select do |format| format.symbol || format.ref == "*/*" end end end) ``` Credits ------- Thanks to John Hawthorn <john@hawthorn.email> of GitHub

Aliases

CVE-2019-5419

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2019-5419",
    "description": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.",
    "id": "GSD-2019-5419",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-5419.html",
      "https://access.redhat.com/errata/RHSA-2019:1289",
      "https://access.redhat.com/errata/RHSA-2019:1149",
      "https://access.redhat.com/errata/RHSA-2019:1147",
      "https://access.redhat.com/errata/RHSA-2019:0796"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "actionview",
            "purl": "pkg:gem/actionview"
          }
        }
      ],
      "aliases": [
        "CVE-2019-5419",
        "GHSA-m63j-wh5w-c252"
      ],
      "details": "There is a potential denial of service vulnerability in actionview.\nThis vulnerability has been assigned the CVE identifier CVE-2019-5419.\n\nImpact\n------\nSpecially crafted accept headers can cause the Action View template location\ncode to consume 100% CPU, causing the server unable to process requests.  This\nimpacts all Rails applications that render views.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nThis vulnerability can be mitigated by wrapping `render` calls with\n`respond_to` blocks.  For example, the following example is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n    render \"index\"\n  end\nend\n```\n\nBut the following code is not vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n    respond_to |format|\n      format.html { render \"index\" }\n    end\n  end\nend\n```\n\nImplicit rendering is impacted, so this code is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n  end\nend\n```\n\nBut can be changed this this:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n    respond_to |format|\n      format.html { render \"index\" }\n    end\n  end\nend\n```\n\nAlternatively to specifying the format, the following monkey patch can be\napplied in an initializer:\n\n```\n$ cat config/initializers/formats_filter.rb\n# frozen_string_literal: true\n\nActionDispatch::Request.prepend(Module.new do\n  def formats\n    super().select do |format|\n      format.symbol || format.ref == \"*/*\"\n    end\n  end\nend)\n```\n\nCredits\n-------\nThanks to John Hawthorn \u003cjohn@hawthorn.email\u003e of GitHub\n",
      "id": "GSD-2019-5419",
      "modified": "2019-03-13T00:00:00.000Z",
      "published": "2019-03-13T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Denial of Service Vulnerability in Action View"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2019-5419",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rails/rails",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "5.2.2.1"
                        },
                        {
                          "version_value": "5.1.6.2"
                        },
                        {
                          "version_value": "5.0.7.2"
                        },
                        {
                          "version_value": "4.2.11.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Rails"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (CWE-400)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
          },
          {
            "name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
            "refsource": "CONFIRM",
            "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
          },
          {
            "name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI",
            "refsource": "CONFIRM",
            "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
          },
          {
            "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
          },
          {
            "name": "RHSA-2019:0796",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:0796"
          },
          {
            "name": "openSUSE-SU-2019:1344",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
          },
          {
            "name": "FEDORA-2019-1cfe24db5c",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
          },
          {
            "name": "RHSA-2019:1149",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:1149"
          },
          {
            "name": "RHSA-2019:1147",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:1147"
          },
          {
            "name": "RHSA-2019:1289",
            "refsource": "REDHAT",
            "url": "https://access.redhat.com/errata/RHSA-2019:1289"
          },
          {
            "name": "openSUSE-SU-2019:1527",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
          },
          {
            "name": "openSUSE-SU-2019:1824",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-5419",
      "cvss_v3": 7.5,
      "date": "2019-03-13",
      "description": "There is a potential denial of service vulnerability in actionview.\nThis vulnerability has been assigned the CVE identifier CVE-2019-5419.\n\nImpact\n------\nSpecially crafted accept headers can cause the Action View template location\ncode to consume 100% CPU, causing the server unable to process requests.  This\nimpacts all Rails applications that render views.\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\nWorkarounds\n-----------\nThis vulnerability can be mitigated by wrapping `render` calls with\n`respond_to` blocks.  For example, the following example is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n    render \"index\"\n  end\nend\n```\n\nBut the following code is not vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n    respond_to |format|\n      format.html { render \"index\" }\n    end\n  end\nend\n```\n\nImplicit rendering is impacted, so this code is vulnerable:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n  end\nend\n```\n\nBut can be changed this this:\n\n```\nclass UserController \u003c ApplicationController\n  def index\n    respond_to |format|\n      format.html { render \"index\" }\n    end\n  end\nend\n```\n\nAlternatively to specifying the format, the following monkey patch can be\napplied in an initializer:\n\n```\n$ cat config/initializers/formats_filter.rb\n# frozen_string_literal: true\n\nActionDispatch::Request.prepend(Module.new do\n  def formats\n    super().select do |format|\n      format.symbol || format.ref == \"*/*\"\n    end\n  end\nend)\n```\n\nCredits\n-------\nThanks to John Hawthorn \u003cjohn@hawthorn.email\u003e of GitHub\n",
      "framework": "rails",
      "gem": "actionview",
      "ghsa": "m63j-wh5w-c252",
      "patched_versions": [
        "\u003e= 6.0.0.beta3",
        "~\u003e 5.2.2, \u003e= 5.2.2.1",
        "~\u003e 5.1.6, \u003e= 5.1.6.2",
        "~\u003e 5.0.7, \u003e= 5.0.7.2",
        "~\u003e 4.2.11, \u003e= 4.2.11.1"
      ],
      "title": "Denial of Service Vulnerability in Action View",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c4.2.11.1||\u003e=5.0.0 \u003c5.0.7.2||\u003e=5.1.0 \u003c5.1.6.2||\u003e=5.2.0 \u003c5.2.2.1",
          "affected_versions": "All versions before 4.2.11.1, all versions starting from 5.0.0 before 5.0.7.2, all versions starting from 5.1.0 before 5.1.6.2, all versions starting from 5.2.0 before 5.2.2.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2020-10-16",
          "description": "There is a possible denial of service vulnerability in Action View (Rails)  where specially crafted accept headers can cause action view to consume % cpu and make the server unresponsive.",
          "fixed_versions": [
            "4.2.11.1",
            "5.0.7.2",
            "5.1.6.2",
            "5.2.2.1"
          ],
          "identifier": "CVE-2019-5419",
          "identifiers": [
            "CVE-2019-5419"
          ],
          "not_impacted": "All versions starting from 4.2.11.1 before 5.0.0, all versions starting from 5.0.7.2 before 5.1.0, all versions starting from 5.1.6.2 before 5.2.0",
          "package_slug": "gem/actionview",
          "pubdate": "2019-03-27",
          "solution": "Upgrade to versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1 or above.",
          "title": "Allocation of Resources Without Limits or Throttling",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5419"
          ],
          "uuid": "3fd68dd9-fcbf-445f-9763-9cc29bde17f7"
        },
        {
          "affected_range": "\u003c4.2.11.1||\u003e=5.0.0 \u003c5.0.7.2||\u003e=5.1.0 \u003c5.1.6.2||\u003e=5.2.0 \u003c5.2.2.1",
          "affected_versions": "All versions before 4.2.11.1, all versions starting from 5.0.0 before 5.0.7.2, all versions starting from 5.1.0 before 5.1.6.2, all versions starting from 5.2.0 before 5.2.2.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-770",
            "CWE-937"
          ],
          "date": "2019-06-07",
          "description": "There is a possible denial of service vulnerability in Action View (Rails) where specially crafted `Accept` headers can cause action view to consume 100% cpu and make the server unresponsive.",
          "fixed_versions": [
            "4.2.11.1",
            "5.0.7.2",
            "5.1.6.2",
            "5.2.2.1"
          ],
          "identifier": "CVE-2019-5419",
          "identifiers": [
            "CVE-2019-5419"
          ],
          "not_impacted": "All versions starting from 4.2.11.1 before 5.0.0, all versions starting from 5.0.7.2 before 5.1.0, all versions starting from 5.1.6.2 before 5.2.0, all versions starting from 5.2.2.1",
          "package_slug": "gem/rails",
          "pubdate": "2019-03-27",
          "solution": "Upgrade to versions 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-5419"
          ],
          "uuid": "03fb9fd8-0566-4b25-9a50-9918b3798ff4"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "4.2.11.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.0.7.2",
                "versionStartIncluding": "5.0.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.1.6.2",
                "versionStartIncluding": "5.1.0",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "5.2.2.1",
                "versionStartIncluding": "5.2.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve-assignments@hackerone.com",
          "ID": "CVE-2019-5419"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-770"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
            },
            {
              "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
              "refsource": "MLIST",
              "tags": [
                "Exploit",
                "Mailing List",
                "Mitigation",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
            },
            {
              "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
            },
            {
              "name": "RHSA-2019:0796",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0796"
            },
            {
              "name": "openSUSE-SU-2019:1344",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
            },
            {
              "name": "FEDORA-2019-1cfe24db5c",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
            },
            {
              "name": "RHSA-2019:1149",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1149"
            },
            {
              "name": "RHSA-2019:1147",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1147"
            },
            {
              "name": "RHSA-2019:1289",
              "refsource": "REDHAT",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:1289"
            },
            {
              "name": "openSUSE-SU-2019:1527",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
            },
            {
              "name": "openSUSE-SU-2019:1824",
              "refsource": "SUSE",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.8,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-10-16T19:02Z",
      "publishedDate": "2019-03-27T14:29Z"
    }
  }
}

CVE-2019-5419

Vulnerability from fstec - Published: 16.03.2019

Title

Уязвимость компонента Action View программной платформы Ruby on Rails, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость компонента Action View программной платформы Ruby on Rails связана с ошибками обработки содержимого HTTP-заголовков Accept. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vendor

Сообщество свободного программного обеспечения, ООО «РусБИТех-Астра», Rails Core Team, Novell Inc., Fedora Project

Software Name

Debian GNU/Linux, Astra Linux Special Edition (запись в едином реестре российских программ №369), Ruby on Rails, OpenSUSE Leap, Fedora, Astra Linux Special Edition для «Эльбрус» (запись в едином реестре российских программ №11156)

Software Version

9 (Debian GNU/Linux), 1.6 «Смоленск» (Astra Linux Special Edition), до 6.0.0.beta3 (Ruby on Rails), до 5.2.2.1 (Ruby on Rails), до 5.1.6.2 (Ruby on Rails), до 5.0.7.1 (Ruby on Rails), до 4.2.11.1 (Ruby on Rails), 15.0 (OpenSUSE Leap), 15.1 (OpenSUSE Leap), 30 (Fedora), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 8.1 «Ленинград» (Astra Linux Special Edition для «Эльбрус»)

Possible Mitigations

Использование рекомендации: https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/ Для продуктов Debian: https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html Для Astra Linux: https://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186 Для OpenSUSE: https://www.suse.com/security/cve/CVE-2019-5419/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2019-5419 https://security-tracker.debian.org/tracker/CVE-2019-5419 http://www.openwall.com/lists/oss-security/2019/03/22/1 https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI https://wiki.astralinux.ru/pages/viewpage.action?pageId=41192827

CWE

CWE-400

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, Rails Core Team, Novell Inc., Fedora Project",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "9 (Debian GNU/Linux), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Special Edition), \u0434\u043e 6.0.0.beta3 (Ruby on Rails), \u0434\u043e 5.2.2.1 (Ruby on Rails), \u0434\u043e 5.1.6.2 (Ruby on Rails), \u0434\u043e 5.0.7.1 (Ruby on Rails), \u0434\u043e 4.2.11.1 (Ruby on Rails), 15.0 (OpenSUSE Leap), 15.1 (OpenSUSE Leap), 30 (Fedora), 8 (Debian GNU/Linux), 10 (Debian GNU/Linux), 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb (Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438:\nhttps://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Debian:\nhttps://lists.debian.org/debian-lts-announce/2019/03/msg00042.html\n\n\u0414\u043b\u044f Astra Linux:\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=57444186\n\n\u0414\u043b\u044f OpenSUSE:\nhttps://www.suse.com/security/cve/CVE-2019-5419/",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "16.03.2019",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.03.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "23.04.2019",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2019-01507",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2019-5419",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Debian GNU/Linux, Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Ruby on Rails, OpenSUSE Leap, Fedora, Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 9 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Novell Inc. OpenSUSE Leap 15.0 , Novell Inc. OpenSUSE Leap 15.1 , Fedora Project Fedora 30 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 8 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition \u0434\u043b\u044f \u00ab\u042d\u043b\u044c\u0431\u0440\u0443\u0441\u00bb 8.1 \u00ab\u041b\u0435\u043d\u0438\u043d\u0433\u0440\u0430\u0434\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u211611156)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action View \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0421\u0443\u0449\u0435\u0441\u0442\u0432\u0443\u0435\u0442 \u0432 \u043e\u0442\u043a\u0440\u044b\u0442\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u0440\u0430\u0441\u0445\u043e\u0434 \u0440\u0435\u0441\u0443\u0440\u0441\u0430 (\u00ab\u0418\u0441\u0442\u043e\u0449\u0435\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u00bb) (CWE-400)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action View \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0441\u043e\u0434\u0435\u0440\u0436\u0438\u043c\u043e\u0433\u043e HTTP-\u0437\u0430\u0433\u043e\u043b\u043e\u0432\u043a\u043e\u0432\n Accept. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "-",
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nvd.nist.gov/vuln/detail/CVE-2019-5419\nhttps://security-tracker.debian.org/tracker/CVE-2019-5419\nhttp://www.openwall.com/lists/oss-security/2019/03/22/1\nhttps://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI\nhttps://wiki.astralinux.ru/pages/viewpage.action?pageId=41192827",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-400",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

GHSA-M63J-WH5W-C252

Vulnerability from github – Published: 2019-03-13 17:25 – Updated: 2023-08-08 16:46

Summary

Denial of Service Vulnerability in Action View

Details

Denial of Service Vulnerability in Action View

Impact

Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations.

Workarounds

This vulnerability can be mitigated by wrapping render calls with respond_to blocks. For example, the following example is vulnerable:

class UserController < ApplicationController 
  def index 
    render "index" 
  end 
end

But the following code is not vulnerable:

class UserController < ApplicationController 
  def index 
    respond_to |format| 
      format.html { render "index" } 
    end 
  end 
end

Implicit rendering is impacted, so this code is vulnerable:

class UserController < ApplicationController 
  def index 
  end 
end

But can be changed this this:

class UserController < ApplicationController 
  def index 
    respond_to |format| 
      format.html { render "index" } 
    end 
  end 
end

Alternatively to specifying the format, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb 
# frozen_string_literal: true 

ActionDispatch::Request.prepend(Module.new do 
  def formats 
    super().select do |format| 
      format.symbol || format.ref == "*/*" 
    end 
  end 
end)

Please note that only the 5.2.x, 5.1.x, 5.0.x, and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases.

Also note that the patches for this vulnerability are the same as CVE-2019-5418.

Credits

Thanks to John Hawthorn john@hawthorn.email of GitHub

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.2.11.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionview"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.2.11.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.2.2.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionview"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.2.0"
            },
            {
              "fixed": "5.2.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.1.6.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionview"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.1.0"
            },
            {
              "fixed": "5.1.6.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 5.0.7.1"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionview"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.0.7.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionview"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "6.0.0.beta1"
            },
            {
              "fixed": "6.0.0.beta3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-5419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:45:03Z",
    "nvd_published_at": "2019-03-27T14:29:01Z",
    "severity": "HIGH"
  },
  "details": "# Denial of Service Vulnerability in Action View\n\nImpact \n------ \nSpecially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests.  This impacts all Rails applications that render views. \n\nAll users running an affected release should either upgrade or use one of the workarounds immediately. \n\nReleases \n-------- \nThe 6.0.0.beta3, 5.2.2.1, 5.1.6.2, 5.0.7.2, and 4.2.11.1 releases are available at the normal locations. \n\nWorkarounds \n----------- \nThis vulnerability can be mitigated by wrapping `render` calls with `respond_to` blocks.  For example, the following example is vulnerable: \n\n``` ruby\nclass UserController \u003c ApplicationController \n  def index \n    render \"index\" \n  end \nend \n``` \n\nBut the following code is not vulnerable: \n\n```ruby \nclass UserController \u003c ApplicationController \n  def index \n    respond_to |format| \n      format.html { render \"index\" } \n    end \n  end \nend \n``` \n\nImplicit rendering is impacted, so this code is vulnerable: \n\n```ruby \nclass UserController \u003c ApplicationController \n  def index \n  end \nend \n``` \n\nBut can be changed this this: \n\n```ruby \nclass UserController \u003c ApplicationController \n  def index \n    respond_to |format| \n      format.html { render \"index\" } \n    end \n  end \nend \n``` \n\nAlternatively to specifying the format, the following monkey patch can be applied in an initializer: \n\n``` \n$ cat config/initializers/formats_filter.rb \n# frozen_string_literal: true \n\nActionDispatch::Request.prepend(Module.new do \n  def formats \n    super().select do |format| \n      format.symbol || format.ref == \"*/*\" \n    end \n  end \nend) \n``` \n\nPlease note that only the 5.2.x, 5.1.x, 5.0.x, and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. \n\nAlso note that the patches for this vulnerability are the same as CVE-2019-5418. \n\nCredits \n------- \nThanks to John Hawthorn \u003cjohn@hawthorn.email\u003e of GitHub ",
  "id": "GHSA-m63j-wh5w-c252",
  "modified": "2023-08-08T16:46:59Z",
  "published": "2019-03-13T17:25:55Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/pull/35708"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/f4c70c2222180b8d9d924f00af0c7fd632e26715"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:0796"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1147"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1149"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2019:1289"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionview/CVE-2019-5419.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA"
    },
    {
      "type": "WEB",
      "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service Vulnerability in Action View"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2019-5419 (GCVE-0-2019-5419)

FKIE_CVE-2019-5419

CERTFR-2019-AVI-111

Solution

GSD-2019-5419

CVE-2019-5419

GHSA-M63J-WH5W-C252

Denial of Service Vulnerability in Action View

Impact

Releases

Workarounds

Credits

Tags

Sightings

Nomenclature