Ruby

Ruby

By DeepSource

Project's rails version is vulnerable to DoS on using render :text RB-A1011

Security

Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the render: :text option, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers. Upgrading to newer versions of Rails can help fix this issue.

References

  1. CVE-2014-0082 - Rails Security Group
  2. CVE-2014-0082 - GitHub Advisory Database
  3. OWASP Top 10 - A5 - Broken Access Control
  4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities
  5. SANS 25 - CWE-400 - Uncontrolled Resource Consumption