Description
The decode_credentials method in actionpack/lib/action_controller/metal/http_authentication.rb in Ruby on Rails 3.x before 3.0.16, 3.1.x before 3.1.7, and 3.2.x before 3.2.7 converts Digest Authentication strings to symbols, which allows remote attackers to cause a denial of service by leveraging access to an application that uses a with_http_digest helper method, as demonstrated by the authenticate_or_request_with_http_digest method.
Remediation
References
Related Vulnerabilities
WordPress Plugin CM Download Manager Multiple Vulnerabilities (2.0.6)
WordPress Plugin WP-Live Chat by 3CX Cross-Site Scripting (4.0.2)
Drupal Core 8.x.x Cross-Site Scripting (8.0.0 - 8.8.12)
ZenCart Improper Authentication Vulnerability (CVE-2009-2255)
WordPress Plugin User Avatar Unspecified Vulnerability (1.4.6)