Overview

CVE-2014-0082 (ActionView vulnerability in Ruby on Rails)

  • Posted March 4, 2014

  • Assessed Risk Level: Medium

The text rendering component of ActionView is vulnerable to denial of service attacks. Strings in specially crafted headers are converted to symbols, but since the symbols are not removed by ruby's garbage collector, they can outgrow the heap and bring down the rails process. For more details please see: https://groups.google.com/forum/#!topic/ruby-security-ann/ZaQ0-g1gUpc

Status

  • Affected Versions: Puppet Enterprise 3.x
  • Resolved in Puppet Enterprise 3.2.0