CVE-2019-16201: Regular Expression Denial of Service vulnerability of WEBrick's Digest access authentication

Regular expression denial of service vulnerability of WEBrick’s Digest authentication module was found. An attacker can exploit this vulnerability to cause an effective denial of service against a WEBrick service.

CVE-2019-16201 has been assigned to this vulnerability.

All users running any affected releases should upgrade as soon as possible.

Affected Versions

  • All releases that are Ruby 2.3 or earlier
  • Ruby 2.4 series: Ruby 2.4.7 or earlier
  • Ruby 2.5 series: Ruby 2.5.6 or earlier
  • Ruby 2.6 series: Ruby 2.6.4 or earlier
  • Ruby 2.7.0-preview1
  • prior to master commit 36e057e26ef2104bc2349799d6c52d22bb1c7d03

Acknowledgement

Thanks to 358 for discovering this issue.

History

  • Originally published at 2019-10-01 11:00:00 (UTC)