CVE-2019-16201

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Ruby versions 2.4.7 and earlier, 2.5.x through 2.5.6, 2.6.x through 2.6.4

Description The issue is related to a regular expression Denial of Service caused by looping/backtracking in the WEBrick::HTTPAuth::DigestAuth class in Ruby. This can be exploited by a remote attacker to cause a denial of service if a victim exposes a WEBrick server that uses DigestAuth to the Internet or an untrusted network.

Recommendations For Ruby versions 2.4.7 and earlier: update to a version later than 2.4.7 to resolve the issue. For Ruby versions 2.5.x through 2.5.6: update to a version later than 2.5.6 to resolve the issue. For Ruby versions 2.6.x through 2.6.4: update to a version later than 2.6.4 to resolve the issue. As a temporary workaround, consider disabling the WEBrick::HTTPAuth::DigestAuth class until a patch is available.

Exploit

Fix

DoS

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-287

Related Identifiers

ALSA-2021:2587

ALSA-2021:2588

ALT-PU-2020-1679

ALT-PU-2020-3411

ALT-PU-2021-3068

BDU:2020-00865

CESA-2021_2587

CESA-2021_2588

CVE-2019-16201

DLA-2007-1

DLA-2027-1

DLA-2330-1

DLA-3408-1

DSA-4586-1

DSA-4587-1

MGASA-2019-0408

MGASA-2020-0440

OPENSUSE-SU-2020:0395-1

OPENSUSE-SU-2020_0395-1

RHSA-2021:2104

RHSA-2021:2230

RHSA-2021:2587

RHSA-2021:2588

RHSA-2021_2587

RHSA-2021_2588

RHSA-2022:0581

RHSA-2022:0582

RLSA-2021:2587

RLSA-2021:2588

SUSE-SU-2020:0737-1

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-4201-1

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Red Hat

Rocky Linux

Ruby

Suse

Ubuntu

CVE-2019-16201

Weakness Enumeration

Related Identifiers

Affected Products

References · 362