CVE-2019-16201

Sažetak

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.

Reference

https://hackerone.com/reports/661722
https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
https://seclists.org/bugtraq/2019/Dec/32
https://seclists.org/bugtraq/2019/Dec/31
https://www.debian.org/security/2019/dsa-4587
https://www.oracle.com/security-alerts/cpujan2020.html
https://security.gentoo.org/glsa/202003-06
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

CVSS

Base:	7.8
Impact:	6.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	COMPLETE

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:N/A:C

Zadnje važnije ažuriranje

30-04-2023 - 23:15

Objavljeno

26-11-2019 - 18:15