Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-rqv2-275x-2jq5

Опубликовано: 18 янв. 2023
Источник: github
Github: Прошло ревью

Описание

Denial of service via multipart parsing in Rack

There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1 Impact

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Releases

The fixed releases are available at the normal locations. Workarounds

There are no feasible workarounds for this issue. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Forbid-control-characters-in-attributes.patch - Patch for 2.0 series 2-1-Forbid-control-characters-in-attributes.patch - Patch for 2.1 series 2-2-Forbid-control-characters-in-attributes.patch - Patch for 2.2 series 3-0-Forbid-control-characters-in-attributes.patch - Patch for 3.0 series

Ссылки

Пакеты

Наименование

rack

rubygems
Затронутые версииВерсия исправления

>= 2.0.0, < 2.0.9.2

2.0.9.2

Наименование

rack

rubygems
Затронутые версииВерсия исправления

>= 2.1.0.0, < 2.1.4.2

2.1.4.2

Наименование

rack

rubygems
Затронутые версииВерсия исправления

>= 2.2.0.0, < 2.2.6.1

2.2.6.1

Наименование

rack

rubygems
Затронутые версииВерсия исправления

>= 3.0.0.0, < 3.0.4.1

3.0.4.1

EPSS

Процентиль: 48%
0.0025
Низкий

CVE ID

CVE-2022-44572

Дефекты

CWE-1333
CWE-400

Связанные уязвимости

ubuntu логотип

CVE-2022-44572

CVSS3: 7.5
ubuntu
больше 2 лет назад

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

redhat логотип

CVE-2022-44572

CVSS3: 7.5
redhat
больше 2 лет назад

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

nvd логотип

CVE-2022-44572

CVSS3: 7.5
nvd
больше 2 лет назад

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

debian логотип

CVE-2022-44572

CVSS3: 7.5
debian
больше 2 лет назад

A denial of service vulnerability in the multipart parsing component o ...

fstec логотип

BDU:2024-02581

CVSS3: 7.5
fstec
больше 2 лет назад

Уязвимость компонента анализа Range модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 48%
0.0025
Низкий

CVE ID

CVE-2022-44572

Дефекты

CWE-1333
CWE-400