Vulnerability Details : CVE-2019-5419
Potential exploit
There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.
Vulnerability category: Denial of service
Products affected by CVE-2019-5419
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms:4.7:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-5419
9.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-5419
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-5419
-
The product does not properly control the allocation and maintenance of a limited resource.Assigned by: support@hackerone.com (Secondary)
-
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-5419
-
https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/
Rails 4.2.11.1, 5.0.7.2, 5.1.6.2, 5.2.2.1, and 6.0.0.beta3 have been released! | Riding RailsPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0796
RHSA-2019:0796 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1149
RHSA-2019:1149 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1289
RHSA-2019:1289 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/
[SECURITY] Fedora 30 Update: rubygem-activemodel-5.2.3-2.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1147
RHSA-2019:1147 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI
Google GroepenExploit;Patch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html
[SECURITY] [DLA 1739-1] rails security updateMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/03/22/1
oss-security - [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action ViewExploit;Mailing List;Mitigation;Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
[security-announce] openSUSE-SU-2019:1527-1: important: Security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
[security-announce] openSUSE-SU-2019:1824-1: important: Security updateMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html
[security-announce] openSUSE-SU-2019:1344-1: moderate: Security update fMailing List;Third Party Advisory
Jump to