#VU8584 Denial of service in Ruby on Rails - CVE-2015-7581

Cybersecurity Help s.r.o.

Published: 2016-01-26 | Updated: 2017-09-22

Vulnerability identifier: #VU8584

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2015-7581

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby on Rails
Universal components / Libraries / Scripting languages

Vendor: Rails

Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.

Mitigation
Update to version 4.2.5.1.

Vulnerable software versions

Ruby on Rails: 4.2.0 rc1 - 4.2.5

External links
https://rubygems.org/gems/rails/versions/4.2.5.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE Linux update for portus

Multiple vulnerabilities in Ruby on Rails