CVE-2019-16201
Advisory lineage Upstream: 0 Downstream: 21
Modified
Published: 26 Nov 2019, 00:00
Last modified:05 Aug 2024, 01:10
Vulnerability Summary
Overall Risk (default)
medium
31/100 CVSS Score
7.8 HIGH
v2.0 (nvd)
EPSS Score
0.61% LOW
1% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
26 Nov 2019, 00:00
Published
Vulnerability first disclosed
05 Aug 2024, 01:10
Last Modified
Vulnerability information updated
Description
WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•HIGH•Score: 7.8AV:N/AC:L/Au:N/C:N/I:N/A:C
EPSS Trends
Current EPSS score: 0.61%• Percentile: 70%
Techniques & Countermeasures
- CWE-287•Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Affected Systems
- debian•debian_linux
8.0
- ruby-lang•ruby
≥ 2.4.0, ≤ 2.4.7 | ≥ 2.5.0, ≤ 2.5.6 | ≥ 2.6.0, ≤ 2.6.4
References (11)
- https://hackerone.com/reports/661722
- https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
- https://seclists.org/bugtraq/2019/Dec/31
- https://seclists.org/bugtraq/2019/Dec/32
- https://www.debian.org/security/2019/dsa-4587
- https://www.oracle.com/security-alerts/cpujan2020.html
- https://security.gentoo.org/glsa/202003-06
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html