CVE-2019-5419

Name of the Vulnerable Software and Affected Versions Action View (Rails) versions prior to 5.2.2.1 Action View (Rails) versions prior to 5.1.6.2 Action View (Rails) versions prior to 5.0.7.2 Action View (Rails) versions prior to 4.2.11.1

Description The issue is related to errors in processing HTTP Accept headers, which can cause Action View to consume 100% CPU, making the server unresponsive. This can be exploited by a remote attacker to cause a denial of service. Specially crafted accept headers can cause the Action View template location code to consume 100% CPU, causing the server to be unable to process requests.

Recommendations For versions prior to 5.2.2.1, upgrade to version 5.2.2.1 or later. For versions prior to 5.1.6.2, upgrade to version 5.1.6.2 or later. For versions prior to 5.0.7.2, upgrade to version 5.0.7.2 or later. For versions prior to 4.2.11.1, upgrade to version 4.2.11.1 or later. As a temporary workaround, consider wrapping render calls with respond to blocks to mitigate the issue. Alternatively, a monkey patch can be applied in an initializer to filter formats and prevent the vulnerability.