The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails :

CVE-2015-7576

A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication.
Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.

CVE-2016-0751

A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service.

CVE-2016-0752

A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code.

CVE-2016-2097

Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra.

CVE-2016-2098

If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit.

CVE-2016-6316

Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers.

For Debian 7 'Wheezy', these problems have been fixed in version 3.2.6-6+deb7u3.

We recommend that you upgrade your ruby-actionpack-3.2 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2015-7581 Security fix for CVE-2016-0751 Security fix for CVE-2015-7576

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2015-7576 CVE-2016-0753

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2015-7581 CVE-2015-7576 CVE-2016-0751 CVE-2016-0752 CVE-2016-0753

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2015-7576

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for rubygem-actionpack-3_2, rubygem-activesupport-3_2 fixes the following issues :

  - CVE-2015-7576: Timing attack vulnerability in basic     authentication in Action Controller (boo#963329)

  - CVE-2016-0752: directory traversal and information leak     in Action View (boo#963332)

  - CVE-2016-0751: rubygem-actionpack: Object Leak DoS     (boo#963331)

  - CVE-2015-7577: Nested attributes rejection proc bypass     (boo#963330)

This update for rubygem-actionpack-4_2, rubygem-actionview-4_2, rubygem-activemodel-4_2, rubygem-activerecord-4_2, rubygem-activesupport-4_2 fixes the following issues :

  - CVE-2015-7576: Timing attack vulnerability in basic     authentication in Action Controller (boo#963329)

  - CVE-2016-0752: directory traversal and information leak     in Action View (boo#963332)

  - CVE-2015-7581: unbounded memory growth DoS via wildcard     controller routes (boo#963335)

  - CVE-2016-0751: rubygem-actionpack: Object Leak DoS     (boo#963331)

  - CVE-2016-0753: Input Validation Circumvention     (boo#963334)

  - CVE-2015-7577: Nested attributes rejection proc bypass     (boo#963330)

Ruby on Rails blog :

Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible.

Multiple security issues have been discovered in the Ruby on Rails web application development framework, which may result in denial of service, cross-site scripting, information disclosure or bypass of input validation.

ID	Name	Product	Family	Severity
93132	Debian DLA-604-1 : ruby-actionpack-3.2 security update	Nessus	Debian Local Security Checks	high
89640	Fedora 23 : rubygem-actionpack-4.2.3-4.fc23 (2016-f486068393)	Nessus	Fedora Local Security Checks	high
89614	Fedora 22 : rubygem-activesupport-4.2.0-4.fc22 (2016-cb30088b06)	Nessus	Fedora Local Security Checks	medium
89583	Fedora 22 : rubygem-actionpack-4.2.0-3.fc22 / rubygem-activemodel-4.2.0-2.fc22 (2016-94e71ee673)	Nessus	Fedora Local Security Checks	high
89523	Fedora 23 : rubygem-activesupport-4.2.3-3.fc23 (2016-3ede04cd79)	Nessus	Fedora Local Security Checks	low
88613	openSUSE Security Update : rubygem-actionpack-3_2 / rubygem-activesupport-3_2 (openSUSE-2016-160)	Nessus	SuSE Local Security Checks	high
88612	openSUSE Security Update : rubygem-actionpack-4_2 / rubygem-actionview-4_2 / rubygem-activemodel-4_2 / etc (openSUSE-2016-159)	Nessus	SuSE Local Security Checks	high
88532	FreeBSD : rails -- multiple vulnerabilities (bb0ef21d-0e1b-461b-bc3d-9cba39948888)	Nessus	FreeBSD Local Security Checks	high
88499	Debian DSA-3464-1 : rails - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2015-7576

low

Tenable Plugins

high

high

medium

high

low

high

high

high

high