Denial of Service Vulnerability in WEBrick's Digest Authentication for Ruby
CVE-2019-16201

7.5HIGH

Key Information:

Vendor: Ruby-lang
Status: Ruby
Vendor: CVE Published:; 26 November 2019

What is CVE-2019-16201?

The WEBrick::HTTPAuth::DigestAuth component in Ruby versions 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 is susceptible to a Denial of Service attack due to a vulnerability in its regular expression handling. Affected systems may experience significant performance degradation when exposed to malicious requests, particularly when the server is accessible on the Internet or an untrusted network. Operators should ensure they apply recommended security updates to mitigate this risk.

References

https://hackerone.com/reports/661722

https://lists.debian.org/debian-lts-announce/2019/11/msg0...

https://lists.debian.org/debian-lts-announce/2019/12/msg0...

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 26, 2019
Vulnerability Reserved
Sep 10, 2019

Ruby-lang

What is CVE-2019-16201?

References

CVSS V3.1

Timeline