Описание
Possible Denial of Service Vulnerability in Rack's header parsing
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1
Impact
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.
Workarounds
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2023-27539
- https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
- https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
- https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
- https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
- https://security.netapp.com/advisory/ntap-20231208-0016
- https://www.debian.org/security/2023/dsa-5530
Пакеты
rack
>= 2.0.0, < 2.2.6.4
2.2.6.4
rack
>= 3.0.0, < 3.0.6.1
3.0.6.1
EPSS
CVE ID
Связанные уязвимости
There is a denial of service vulnerability in the header parsing component of Rack.
There is a denial of service vulnerability in the header parsing component of Rack.
There is a denial of service vulnerability in the header parsing component of Rack.
There is a denial of service vulnerability in the header parsing compo ...
EPSS