DoS Vulnerability in authenticate_or_request_with_http_digest
There is a DoS vulnerability in Action Pack digest authentication handling in Rails.
This vulnerability has been assigned the CVE identifier CVE-2012-3424.
Versions Affected: 3.x.
Not affected: 2.3.5 - 2.3.14
Fixed Versions: 3.0.16, 3.1.7, 3.2.7
All users using Digest Authentication support in Rails should upgrade
immediately. Impacted code uses any of the `with_http_digest` controller
helper methods. For example:
class MyController < ApplicationController
authenticate_or_request_with_http_digest(REALM) do |uname|
The 3.0.16, 3.1.7 & 3.2.7 releases are available at the normal locations.
There are no feasible workarounds for this issue.
Rails 3.2.7 is in the tree. I hope to get to the older slots during the weekend.
Rails 3.1.7 is now also in the tree.
Rails 3.0.16 now also in the tree.
Thanks, Hans! Please also punt the vulnerable versions.
Closing noglsa for ~arch only issue.
The decode_credentials method in
actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on
Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts
Digest Authentication strings to symbols, which allows remote attackers to
cause a denial of service by leveraging access to an application that uses a
with_http_digest helper method, as demonstrated by the