Описание
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
A flaw was found in Ruby's CGI gem. Processing specially crafted large cookies with the CGI::Cookie.parse method can cause excessive resource consumption due to a missing limit on the length of the raw cookie value, resulting in a denial of service.
Отчет
This issue will cause an excessive resource consumption, potentially resulting in a bad application performance. However, an attacker does have the ability to completely deny service to legitimate users. For this reason, this vulnerability has been rated with a moderate severity.
Меры по смягчению последствий
Do not process large cookies or strings with the CGI::Cookie.parse method from the CGI library. Adding a check to verify and limit the length of the cookie or string before processing it will mitigate this vulnerability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 8 | ruby:2.5/ruby | Out of support scope | ||
| Red Hat Enterprise Linux 10 | ruby | Fixed | RHSA-2025:8131 | 26.05.2025 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2025:10217 | 02.07.2025 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2025:4063 | 23.04.2025 |
| Red Hat Enterprise Linux 9 | ruby | Fixed | RHSA-2025:4487 | 06.05.2025 |
| Red Hat Enterprise Linux 9 | ruby | Fixed | RHSA-2025:4488 | 06.05.2025 |
| Red Hat Enterprise Linux 9 | ruby | Fixed | RHSA-2025:4493 | 06.05.2025 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in ...
CGI has Denial of Service (DoS) potential in Cookie.parse
EPSS
5.3 Medium
CVSS3