Lucene search

K

SvalkanovH1:2446437

HistoryApr 03, 2024 - 9:32 p.m.

Internet Bug Bounty: [CVE-2024-25126] Denial of Service Vulnerability in Rack Content-Type Parsing

2024-04-0321:32:58

svalkanov

hackerone.com

18

internet bug bounty

cve-2024-25126

denial of service

rack

content-type parsing

vulnerability

ruby on rails

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.5%

I’ve made a report https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941

Impact

Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability.

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

6.1 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.5%

Related for H1:2446437

redhatcve1 cvelist1 cve1 debiancve1 osv8 veracode1 github1 cgr1 wolfi1 nvd1 prion1 ubuntucve1 rubygems1 nessus19 redhat8 openvas5 rocky1 oraclelinux2 almalinux2 amazon1 debian2 redos1 mageia1 ubuntu1