Lucene search

RubySecRUBY:RACK-2022-44571

HistoryJan 17, 2023 - 9:00 p.m.

Denial of Service Vulnerability in Rack Content-Disposition parsing

2023-01-1721:00:00

RubySec

rubysec.com

denial of service

content-disposition

rack

vulnerability

cve-2022-44571

multipart parsing

rails applications

fixed versions

cve identifier

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

41.6%

JSON

There is a denial of service vulnerability in the Content-Disposition parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-44571.

Versions Affected: >= 2.0.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1

Impact

Carefully crafted input can cause Content-Disposition header parsing in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. This header is used typically used in multipart
parsing. Any applications that parse multipart posts using Rack (virtually
all Rails applications) are impacted.

Workarounds

There are no feasible workarounds for this issue.

CPENameOperatorVersion
rackle2.0.9.1
rackge2.0.10.0
rackle2.1.4.1
rackge2.1.5.0
rackle2.2.6.0
rackge2.2.7.0
racklt3.0.4.1

Name	Operator	Version
rack	le	2.0.9.1
rack	ge	2.0.10.0
rack	le	2.1.4.1
rack	ge	2.1.5.0
rack	le	2.2.6.0
rack	ge	2.2.7.0
rack	lt	3.0.4.1

References

github.com/rack/rack/releases/tag/v3.0.4.1

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.001 Low

EPSS

Percentile

41.6%

JSON

Related for RUBY:RACK-2022-44571