CVE-2019-5419

Published 2 months ago
Category: Denial of Service
Severity: Severe

Vulnerability in actionview

There is a potential denial of service vulnerability in actionview. This vulnerability has been assigned the CVE identifier CVE-2019-5419.

Impact

Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server unable to process requests. This impacts all Rails applications that render views.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

This vulnerability can be mitigated by wrapping render calls with respond_to blocks. For example, the following example is vulnerable:

class UserController < ApplicationController
  def index
    render "index"
  end
end

But the following code is not vulnerable:

class UserController < ApplicationController
  def index
    respond_to |format|
      format.html { render "index" }
    end
  end
end

Implicit rendering is impacted, so this code is vulnerable:

class UserController < ApplicationController
  def index
  end
end

But can be changed this this:

class UserController < ApplicationController
  def index
    respond_to |format|
      format.html { render "index" }
    end
  end
end

Alternatively to specifying the format, the following monkey patch can be applied in an initializer:

$ cat config/initializers/formats_filter.rb
# frozen_string_literal: true

ActionDispatch::Request.prepend(Module.new do
  def formats
    super().select do |format|
      format.symbol || format.ref == "*/*"
    end
  end
end)

Credits

Thanks to John Hawthorn john@hawthorn.email of GitHub

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 6.0.0.beta3 ~> 5.2.2 >= 5.2.2.1 ~> 5.1.6 >= 5.1.6.2 ~> 5.0.7 >= 5.0.7.2 ~> 4.2.11 >= 4.2.11.1

Unaffected Versions

n/a

References

n/a