CVE-2019-16201

WEBrick::HTTPAuth::DigestAuth in Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 has a regular expression Denial of Service cause by looping/backtracking. A victim must expose a WEBrick server that uses DigestAuth to the Internet or a untrusted network.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 91%
Affected Products (NVD)
VendorProductVersion
ruby-langruby
2.4.0 ≤
𝑥
≤ 2.4.7
ruby-langruby
2.5.0 ≤
𝑥
≤ 2.5.6
ruby-langruby
2.6.0 ≤
𝑥
≤ 2.6.4
debiandebian_linux
8.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
jruby
bookworm
9.3.9.0+ds-8
fixed
sid
9.4.8.0+ds-1
fixed
trixie
9.4.8.0+ds-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
jruby
bionic
needed
disco
ignored
eoan
ignored
focal
needed
groovy
ignored
hirsute
ignored
impish
ignored
lunar
ignored
mantic
ignored
noble
needs-triage
trusty
Fixed 1.5.6-9+deb8u2build0.14.04.1~esm2
released
xenial
needed
ruby2.3
bionic
dne
disco
dne
eoan
dne
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
Fixed 2.3.1-2~ubuntu16.04.14
released
ruby2.5
bionic
Fixed 2.5.1-1ubuntu1.6
released
disco
Fixed 2.5.5-1ubuntu1.1
released
eoan
Fixed 2.5.5-4ubuntu2.1
released
focal
dne
groovy
dne
hirsute
dne
impish
dne
jammy
dne
kinetic
dne
lunar
dne
mantic
dne
noble
dne
trusty
dne
xenial
dne
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_1-2_1
suse enterprise sap 12 SP4
2.1.9-19.3.2
fixed
suse enterprise sap 12 SP5
2.1.9-19.3.2
fixed
suse enterprise server 12 SP2
2.1.9-19.3.2
fixed
suse enterprise server 12 SP3
2.1.9-19.3.2
fixed
suse enterprise server 12 SP5
2.1.9-19.3.2
fixed
libruby2_5-2_5
suse enterprise desktop 15 SP1
2.5.7-4.8.1
fixed
suse enterprise desktop 15 SP2
2.5.7-4.8.1
fixed
suse enterprise desktop 15 SP3
2.5.7-4.8.1
fixed
suse enterprise desktop 15 SP4
2.5.7-4.8.1
fixed
suse enterprise desktop 15 SP5
2.5.7-4.8.1
fixed
suse enterprise desktop 15 SP6
2.5.7-4.8.1
fixed
suse enterprise desktop 15 SP7
2.5.9-150700.22.16
fixed
suse enterprise sap 15 SP1
2.5.7-4.8.1
fixed
suse enterprise sap 15 SP2
2.5.7-4.8.1
fixed
suse enterprise sap 15 SP3
2.5.7-4.8.1
fixed
suse enterprise sap 15 SP4
2.5.7-4.8.1
fixed
suse enterprise sap 15 SP5
2.5.7-4.8.1
fixed
suse enterprise sap 15 SP6
2.5.7-4.8.1
fixed
suse enterprise sap 15 SP7
2.5.9-150700.22.16
fixed
suse enterprise server 15
2.5.7-4.8.1
fixed
suse enterprise server 15 SP1
2.5.7-4.8.1
fixed
suse enterprise server 15 SP2
2.5.7-4.8.1
fixed
suse enterprise server 15 SP3
2.5.7-4.8.1
fixed
suse enterprise server 15 SP4
2.5.7-4.8.1
fixed
suse enterprise server 15 SP5
2.5.7-4.8.1
fixed
suse enterprise server 15 SP6
2.5.7-4.8.1
fixed
suse enterprise server 15 SP7
2.5.9-150700.22.16
fixed
yast2-ruby-bindings
suse enterprise server 12 SP2
3.1.53-9.8.1
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby-debuginfo
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby-devel
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby-doc
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby-irb
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby-libs
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby-tcltk
Amazon Linux 2
0:2.0.0.648-36.amzn2.0.7
fixed
ruby24
Amazon Linux 1
0:2.4.10-2.12.amzn1
fixed
ruby24-debuginfo
Amazon Linux 1
0:2.4.10-2.12.amzn1
fixed
ruby24-devel
Amazon Linux 1
0:2.4.10-2.12.amzn1
fixed
ruby24-doc
Amazon Linux 1
0:2.4.10-2.12.amzn1
fixed
ruby24-irb
Amazon Linux 1
0:2.4.10-2.12.amzn1
fixed
ruby24-libs
Amazon Linux 1
0:2.4.10-2.12.amzn1
fixed
rubygem-bigdecimal
Amazon Linux 2
0:1.2.0-36.amzn2.0.7
fixed
rubygem-io-console
Amazon Linux 2
0:0.4.2-36.amzn2.0.7
fixed
rubygem-json
Amazon Linux 2
0:1.7.7-36.amzn2.0.7
fixed
rubygem-minitest
Amazon Linux 2
0:4.3.2-36.amzn2.0.7
fixed
rubygem-psych
Amazon Linux 2
0:2.0.0-36.amzn2.0.7
fixed
rubygem-rake
Amazon Linux 2
0:0.9.6-36.amzn2.0.7
fixed
rubygem-rdoc
Amazon Linux 2
0:4.0.0-36.amzn2.0.7
fixed
rubygem24-bigdecimal
Amazon Linux 1
0:1.3.2-2.12.amzn1
fixed
rubygem24-did_you_mean
Amazon Linux 1
0:1.1.0-2.12.amzn1
fixed
rubygem24-io-console
Amazon Linux 1
0:0.4.6-2.12.amzn1
fixed
rubygem24-json
Amazon Linux 1
0:2.0.4-2.12.amzn1
fixed
rubygem24-minitest5
Amazon Linux 1
0:5.10.1-2.12.amzn1
fixed
rubygem24-net-telnet
Amazon Linux 1
0:0.1.1-2.12.amzn1
fixed
rubygem24-power_assert
Amazon Linux 1
0:0.4.1-2.12.amzn1
fixed
rubygem24-psych
Amazon Linux 1
0:2.2.2-2.12.amzn1
fixed
rubygem24-rdoc
Amazon Linux 1
0:5.0.1-2.12.amzn1
fixed
rubygem24-test-unit
Amazon Linux 1
0:3.2.3-2.12.amzn1
fixed
rubygem24-xmlrpc
Amazon Linux 1
0:0.2.1-2.12.amzn1
fixed
rubygems
Amazon Linux 2
0:2.0.14.1-36.amzn2.0.7
fixed
rubygems-devel
Amazon Linux 2
0:2.0.14.1-36.amzn2.0.7
fixed
rubygems24
Amazon Linux 1
0:2.6.14.4-2.12.amzn1
fixed
rubygems24-devel
Amazon Linux 1
0:2.6.14.4-2.12.amzn1
fixed
Azure Linux logo
Azure Linux Releases
Azure Package
Release
ruby
CBL-Mariner 1.0
0:2.6.7-1.cm1
fixed