CVE-2014-0082
Ruby on Rails 3.x - Denial of Service via MIME Type String Conversion
Title source: llmDescription
actionpack/lib/action_view/template/text.rb in Action View in Ruby on Rails 3.x before 3.2.17 converts MIME type strings to symbols during use of the :text option to the render method, which allows remote attackers to cause a denial of service (memory consumption) by including these strings in headers.
References (9)
Core 9
Core References
Mailing List mailing-list
x_refsource_mlist
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/LMxO_3_eCuc/ozGBEhKaJbIJ
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0215.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2014-0306.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/57836
Various Sources x_refsource_confirm
https://puppet.com/security/cve/cve-2014-0082
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2014-02/msg00081.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/57376
Mailing List mailing-list
x_refsource_mlist
http://openwall.com/lists/oss-security/2014/02/18/10
Various Sources x_refsource_confirm
http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/
Scores
EPSS
0.0646
EPSS Percentile
91.2%
Details
CWE
CWE-20
Status
published
Products (22)
rubygems/actionpack
3.0.0 - 3.2.17RubyGems
rubyonrails/rails
3.0.0 (7 CPE variants)
rubyonrails/rails
3.0.1 (2 CPE variants)
rubyonrails/rails
3.0.2 (2 CPE variants)
rubyonrails/rails
3.0.3
rubyonrails/rails
3.0.4 rc1
rubyonrails/rails
3.0.5 (2 CPE variants)
rubyonrails/rails
3.0.6 (3 CPE variants)
rubyonrails/rails
3.0.7 (3 CPE variants)
rubyonrails/rails
3.0.8 (5 CPE variants)
... and 12 more
Published
Feb 20, 2014
Tracked Since
Feb 18, 2026