DoS Vulnerability in authenticate_or_request_with_http_digest There is a DoS vulnerability in Action Pack digest authentication handling in Rails. This vulnerability has been assigned the CVE identifier CVE-2012-3424. Versions Affected: 3.x. Not affected: 2.3.5 - 2.3.14 Fixed Versions: 3.0.16, 3.1.7, 3.2.7 Impact ------ All users using Digest Authentication support in Rails should upgrade immediately. Impacted code uses any of the `with_http_digest` controller helper methods. For example: class MyController < ApplicationController def index authenticate_or_request_with_http_digest(REALM) do |uname| # ... end end end Releases -------- The 3.0.16, 3.1.7 & 3.2.7 releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue.
Rails 3.2.7 is in the tree. I hope to get to the older slots during the weekend.
Rails 3.1.7 is now also in the tree.
Rails 3.0.16 now also in the tree.
Thanks, Hans! Please also punt the vulnerable versions. Closing noglsa for ~arch only issue.
CVE-2012-3424 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3424): The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
