CVE-2024-26141

Опубликовано: 29 фев. 2024

Источник: nvd

CVSS3: 5.8

CVSS3: 7.5

EPSS Низкий

Описание

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

Ссылки

https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
Exploit
Vendor Advisory
https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
Patch
https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
Patch
https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
Exploit
Vendor Advisory
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
Mailing List
https://security.netapp.com/advisory/ntap-20240510-0007/
Third Party Advisory
https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
Exploit
Vendor Advisory
https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
Patch
https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
Patch
https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
Vendor Advisory
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
Exploit
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
Mailing List
https://security.netapp.com/advisory/ntap-20240510-0007/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Версия от 1.3.0 (включая) до 2.2.8.1 (исключая)

cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Версия от 3.0.0 (включая) до 3.0.9.1 (исключая)

Конфигурация 2

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

EPSS

Процентиль: 48%

0.00253

Низкий

5.8 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-400

NVD-CWE-noinfo

Связанные уязвимости

CVE-2024-26141

CVSS3: 5.8

ubuntu

больше 1 года назад

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

CVE-2024-26141

CVSS3: 5.3

redhat

больше 1 года назад

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

CVE-2024-26141

CVSS3: 5.8

debian

больше 1 года назад

Rack is a modular Ruby web server interface. Carefully crafted Range h ...

GHSA-xj5v-6v4g-jfw6

github

больше 1 года назад

Rack has possible DoS Vulnerability with Range Header

BDU:2024-01714

CVSS3: 5.8

fstec

больше 1 года назад

Уязвимость интерфейса модуля Rack интерпретатора языка программирования Ruby, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 48%

0.00253

Низкий

5.8 Medium

CVSS3

7.5 High

CVSS3

Дефекты

CWE-400

NVD-CWE-noinfo