CVE-2024-26146

2024-02-2900:15:51

CWE-1333

GitHub_M

web.nvd.nist.gov

120

cve-2024-26146

rack

ruby

web server

interface

denial of service

vulnerability

nvd

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.1

Confidence

High

EPSS

Percentile

13.0%

JSON

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

Affected configurations

Vulners

Vulnrichment

Node

rackrackRange3.0.0–3.0.9.1

rackrackRange2.2.0–2.2.8.1

rackrackRange2.1.0–2.1.4.4

rackrackRange<2.0.9.4

VendorProductVersionCPE
rackrack*cpe:2.3:a:rack:rack:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rack	rack	*	cpe:2.3:a:rack:rack::::::::

CNA Affected

[
  {
    "vendor": "rack",
    "product": "rack",
    "versions": [
      {
        "version": ">= 3.0.0, < 3.0.9.1",
        "status": "affected"
      },
      {
        "version": ">= 2.2.0, < 2.2.8.1",
        "status": "affected"
      },
      {
        "version": ">= 2.1.0, < 2.1.4.4",
        "status": "affected"
      },
      {
        "version": "< 2.0.9.4",
        "status": "affected"
      }
    ]
  }
]