Published: 27/03/2019 Updated: 07/11/2023

CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 695

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails
debian debian linux 8.0
redhat software collections 1.0
redhat cloudforms 4.6
redhat cloudforms 4.7
opensuse leap 15.0
opensuse leap 15.1
fedoraproject fedora 30

Synopsis Important: rh-ror50-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic An update for rh-ror50-rubygem-actionpack is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...

Synopsis Important: rh-ror42-rubygem-actionpack security update Type/Severity Security Advisory: Important Topic An update for rh-ror42-rubygem-actionpack is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...

Synopsis Important: CloudForms 469 security, bug fix and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for CloudForms Management Engine 59Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scori ...

Synopsis Important: CloudForms 473 security, bug fix and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for CloudForms Management Engine 510Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scor ...

Debian Bug report logs - #914847 rails: CVE-2018-16476: Broken Access Control vulnerability in Active Job Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 27 Nov 2018 22 ...

Debian Bug report logs - #924521 rails: CVE-2019-5420 Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 13 Mar 2019 21:45:02 UTC Severity: important Tags: security, upst ...

Debian Bug report logs - #924520 rails: CVE-2019-5418 CVE-2019-5419 Package: src:rails; Maintainer for src:rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 13 Mar 2019 21:33:02 UTC Severity: grave Tags: secu ...

oss-sec mailing list archives   By Date By Thread </form>    [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View  <!--X-Head-of-Mes ...

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)

Rails-doubletap-exploit RCE on Rails 522 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420) Technical Analysis: CVE-2019-5418 - githubcom/mpgn/CVE-2019-5418 CVE-2019-5420 - hackeronecom/reports/473888 Security Adivsory: CVE-2019-5418 - groupsgooglecom/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q CVE-2

CVE-2019-5418 - File Content Disclosure on Ruby on Rails

CVE-2019-5418 - File Content Disclosure on Rails EDIT: this CVE can lead to a Remote Code Execution, more info: githubcom/mpgn/Rails-doubletap-RCE There is a possible file content disclosure vulnerability in Action View Specially crafted accept headers in combination with calls to render file: can cause arbitrary files on the target server to be rendered, disclosing

RCE on Rails 5.2.2 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420)

Rails-doubletap-exploit RCE on Rails 522 using a path traversal (CVE-2019-5418) and a deserialization of Ruby objects (CVE-2019-5420) Technical Analysis: CVE-2019-5418 - githubcom/mpgn/CVE-2019-5418 CVE-2019-5420 - hackeronecom/reports/473888 Security Adivsory: CVE-2019-5418 - groupsgooglecom/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q CVE-2

CWE-770 https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/http://www.openwall.com/lists/oss-security/2019/03/22/1 https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html https://access.redhat.com/errata/RHSA-2019:0796 http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html https://access.redhat.com/errata/RHSA-2019:1149 https://access.redhat.com/errata/RHSA-2019:1147 https://access.redhat.com/errata/RHSA-2019:1289 http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/https://nvd.nist.gov https://access.redhat.com/errata/RHSA-2019:1147 https://github.com/mpgn/Rails-doubletap-RCE https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI

CVE-2019-5419

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

Mailing Lists

Github Repositories

References

Vulmon Search

About

Products

Connect