Lucene search

GitHub Advisory DatabaseGHSA-V6J3-7JRW-HQ2P

HistoryMay 17, 2022 - 4:59 a.m.

Rack Gem Subject to Denial of Service via Hash Collisions

2022-05-1704:59:13

CWE-328

CWE-400

GitHub Advisory Database

github.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.008 Low

EPSS

Percentile

81.8%

JSON

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Affected configurations

Vulners

Node

org.jruby\jrubyMatchparent

rackrackRange<1.3.6

rackrackRange<1.2.5

rackrackRange<1.1.3

CPENameOperatorVersion
org.jruby:jruby-parentlt1.6.5.1
racklt1.3.6
racklt1.2.5
racklt1.1.3

Name	Operator	Version
org.jruby:jruby-parent	lt	1.6.5.1
rack	lt	1.3.6
rack	lt	1.2.5
rack	lt	1.1.3

References

www.debian.org/security/2013/dsa-2783

www.kb.cert.org/vuls/id/903934

www.nruns.com/_downloads/advisory28122011.pdf

www.ocert.org/advisories/ocert-2011-003.html

gist.github.com/52bbc6b9cc19ce330829

github.com/advisories/GHSA-v6j3-7jrw-hq2p

github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml

nvd.nist.gov/vuln/detail/CVE-2011-5036

web.archive.org/web/20120201040317/jruby.org/2011/12/27/jruby-1-6-5-1

web.archive.org/web/20130213132312/archives.neohapsis.com/archives/bugtraq/2011-12/0181.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.008 Low

EPSS

Percentile

81.8%

JSON

Related for GHSA-V6J3-7JRW-HQ2P