Vulmon Recent Vulnerabilities Product List Research Posts Trends Blog About Contact
7.5
CVSSv3

CVE-2019-5419

Published: 27/03/2019 Updated: 07/11/2023
CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 695
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

Vulnerability Summary

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

rubyonrails rails

debian debian linux 8.0

redhat software collections 1.0

redhat cloudforms 4.6

redhat cloudforms 4.7

opensuse leap 15.0

opensuse leap 15.1

fedoraproject fedora 30

Vendor Advisories

Red Hat: Important: rh-ror50-rubygem-actionpack security update
Synopsis Important: rh-ror50-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic An update for rh-ror50-rubygem-actionpack is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: rh-ror42-rubygem-actionpack security update
Synopsis Important: rh-ror42-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic An update for rh-ror42-rubygem-actionpack is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...
Red Hat: Important: CloudForms 4.6.9 security, bug fix and enhancement update
Synopsis Important: CloudForms 469 security, bug fix and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for CloudForms Management Engine 59Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scori ...
Red Hat: Important: CloudForms 4.7.3 security, bug fix and enhancement update
Synopsis Important: CloudForms 473 security, bug fix and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for CloudForms Management Engine 510Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scor ...
Debian CVElist Bug Report Logs: rails: CVE-2019-5420
Debian Bug report logs - #924521 rails: CVE-2019-5420 Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers &lt;pkg-ruby-extras-maintainers@listsaliothdebianorg&gt;; Reported by: Salvatore Bonaccorso &lt;carnil@debianorg&gt; Date: Wed, 13 Mar 2019 21:45:02 UTC Severity: important Tags: security, upst ...
Debian CVElist Bug Report Logs: rails: CVE-2019-5418 CVE-2019-5419
Debian Bug report logs - #924520 rails: CVE-2019-5418 CVE-2019-5419 Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers &lt;pkg-ruby-extras-maintainers@listsaliothdebianorg&gt;; Reported by: Salvatore Bonaccorso &lt;carnil@debianorg&gt; Date: Wed, 13 Mar 2019 21:33:02 UTC Severity: grave Tags: secu ...
Debian CVElist Bug Report Logs: rails: CVE-2018-16476: Broken Access Control vulnerability in Active Job
Debian Bug report logs - #914847 rails: CVE-2018-16476: Broken Access Control vulnerability in Active Job Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers &lt;pkg-ruby-extras-maintainers@listsaliothdebianorg&gt;; Reported by: Salvatore Bonaccorso &lt;carnil@debianorg&gt; Date: Tue, 27 Nov 2018 22 ...

Mailing Lists

Full Disclosure: [CVE-2019-5419] Denial of Service Vulnerability in Action View
There is a potential denial of service vulnerability in MODULE / COMPONENT This vulnerability has been assigned the CVE identifier CVE-2019-5419 Versions Affected: All Not affected: None Fixed Versions: 600beta3, 5221, 5162, 5072, 42111 Impact ------ Specially crafted accept headers can cause the Action View template ...
Full Disclosure: [CVE-2019-5418] File Content Disclosure in Action View
There is a possible file content disclosure vulnerability in Action View This vulnerability has been assigned the CVE identifier CVE-2019-5418 Versions Affected: All Not affected: None Fixed Versions: 600beta3, 5221, 5162, 5072, 42111 Impact ------ There is a possible file content disclosure vulnerability in Action V ...
Full Disclosure: [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View
# [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View This is an amendment to the previously announced CVE-2019-5418 There is a possible file content disclosure vulnerability in Action View This vulnerability can possibly be used to read the Rails secrets file and those secrets can be used to escalate to a remote co ...

Github Repositories

https://github.com/mpgn/Rails-doubletap-exploit

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)

Rails-doubletap-exploit RCE on Rails 522 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420) Technical Analysis: CVE-2019-5418 - githubcom/mpgn/CVE-2019-5418 CVE-2019-5420 - hackeronecom/reports/473888 Security Adivsory: CVE-2019-5418 - groupsgooglecom/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q CVE-2

https://github.com/mpgn/Rails-doubletap-RCE

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)

Rails-doubletap-exploit RCE on Rails 522 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420) Technical Analysis: CVE-2019-5418 - githubcom/mpgn/CVE-2019-5418 CVE-2019-5420 - hackeronecom/reports/473888 Security Adivsory: CVE-2019-5418 - groupsgooglecom/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q CVE-2

https://github.com/mpgn/CVE-2019-5418

CVE-2019-5418 - File Content Disclosure on Ruby on Rails

CVE-2019-5418 - File Content Disclosure on Rails EDIT: this CVE can lead to a Remote Code Execution, more info: githubcom/mpgn/Rails-doubletap-RCE There is a possible file content disclosure vulnerability in Action View Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing

References

CWE-770https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/http://www.openwall.com/lists/oss-security/2019/03/22/1https://lists.debian.org/debian-lts-announce/2019/03/msg00042.htmlhttps://access.redhat.com/errata/RHSA-2019:0796http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.htmlhttps://access.redhat.com/errata/RHSA-2019:1149https://access.redhat.com/errata/RHSA-2019:1147https://access.redhat.com/errata/RHSA-2019:1289http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.htmlhttps://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeIhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/https://nvd.nist.govhttps://access.redhat.com/errata/RHSA-2019:1147https://github.com/mpgn/Rails-doubletap-exploithttps://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-5834CVE-2024-30100CVE-2024-4577physicaldosCVE-2024-30099CVE-2024-27801CVE-2024-32146logic flaw
Vulmon Logo Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Product List Vendor List Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook