Lucene search

K

SvalkanovH1:2446433

HistoryApr 03, 2024 - 9:28 p.m.

Internet Bug Bounty: [CVE-2024-26146] Header Parsing leads to Possible Denial of Service Vulnerability

2024-04-0321:28:53

svalkanov

hackerone.com

40

internet bug bounty

cve-2024-26146

header parsing

possible denial of service

vulnerability

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.2%

I’ve made a report and provided a patch https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.2%

Related for H1:2446433

veracode1 nvd2 cve2 ubuntucve1 redhatcve1 wolfi1 osv9 cgr1 prion1 github1 debiancve1 ibm1 cvelist2 rubygems1 openvas6 oraclelinux2 nessus20 redhat8 debian2 ubuntu2 rocky1 almalinux2 amazon1 redos1 mageia1