CVE-2015-7581 (High) detected in actionpack-4.1.0.gem

[mend-bolt-for-github]

CVE-2015-7581 - High Severity Vulnerability

Vulnerable Library - actionpack-4.1.0.gem

Web apps on Rails. Simple, battle-tested conventions for building and testing MVC web applications. Works with any Rack-compatible server.

Library home page: https://rubygems.org/gems/actionpack-4.1.0.gem

Path to dependency file: /tmp/ws-scm/app1/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.5.0/cache/actionpack-4.1.0.gem

Dependency Hierarchy:

• sass-rails-4.0.3.gem (Root Library)
  • railties-4.1.0.gem
    • ❌ actionpack-4.1.0.gem (Vulnerable Library)

Found in HEAD commit: 9d946faa10e3050193fb56220287f7565773de83

Vulnerability Details

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.

Publish Date: 2016-02-16

URL: CVE-2015-7581

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-7581

Release Date: 2016-02-16

Fix Resolution: 4.2.5.1,5.0.0.beta1.1