7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
0.001 Low
EPSS
Percentile
39.8%
A denial of service vulnerability in the multipart parsing component of
Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker
tocraft input that can cause RFC2183 multipart boundary parsing in Rack to
take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that parse multipart posts using
Rack (virtually all Rails applications) are impacted.
Author | Note |
---|---|
ccdm94 | variable related to the regular expression that causes the DoS was introduced in commit b3e90edf, together with RFC 2231 changes. |
github.com/rack/rack/commit/19e49f0f185d7e42ed5b402baec6c897a8c48029 (v2.2.6.1)
github.com/rack/rack/commit/8291f502b0e1dcf514cc25c34e4bf0beec7a92ae (v2.1.4.2)
github.com/rack/rack/commit/dc50f8e495f67eb933b1fc33ebee550908d945e6 (v2.0.9.2)
launchpad.net/bugs/cve/CVE-2022-44572
nvd.nist.gov/vuln/detail/CVE-2022-44572
security-tracker.debian.org/tracker/CVE-2022-44572
ubuntu.com/security/notices/USN-5910-1
www.cve.org/CVERecord?id=CVE-2022-44572