Количество 11
Количество 11
GHSA-wpv5-97wm-hp9c
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
CVE-2025-61772
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`).
CVE-2025-61772
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`).
CVE-2025-61772
Rack is a modular Ruby web server interface. In versions prior to 2.2. ...
BDU:2025-14431
Уязвимость класса Rack::Multipart::Parser модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю вызвать отказ в обслуживании
ELSA-2025-21036
ELSA-2025-21036: pcs security update (IMPORTANT)
ELSA-2025-20962
ELSA-2025-20962: pcs security update (IMPORTANT)
ELSA-2025-19719
ELSA-2025-19719: pcs security update (IMPORTANT)
ELSA-2025-19513
ELSA-2025-19513: pcs security update (IMPORTANT)
ELSA-2025-19512
ELSA-2025-19512: pcs security update (IMPORTANT)
ROS-20251106-03
Множественные уязвимости rubygem-rack
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-wpv5-97wm-hp9c Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) | CVSS3: 7.5 | 0% Низкий | 3 месяца назад |
 | CVE-2025-61772 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`). | CVSS3: 7.5 | 0% Низкий | 3 месяца назад |
 | CVE-2025-61772 Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`). | CVSS3: 7.5 | 0% Низкий | 3 месяца назад |
| CVE-2025-61772 Rack is a modular Ruby web server interface. In versions prior to 2.2. ... | CVSS3: 7.5 | 0% Низкий | 3 месяца назад |
 | BDU:2025-14431 Уязвимость класса Rack::Multipart::Parser модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю вызвать отказ в обслуживании | CVSS3: 7.5 | 0% Низкий | 3 месяца назад |
| ELSA-2025-21036 ELSA-2025-21036: pcs security update (IMPORTANT) | около 2 месяцев назад | ||
| ELSA-2025-20962 ELSA-2025-20962: pcs security update (IMPORTANT) | около 2 месяцев назад | ||
| ELSA-2025-19719 ELSA-2025-19719: pcs security update (IMPORTANT) | 2 месяца назад | ||
| ELSA-2025-19513 ELSA-2025-19513: pcs security update (IMPORTANT) | 2 месяца назад | ||
| ELSA-2025-19512 ELSA-2025-19512: pcs security update (IMPORTANT) | 2 месяца назад | ||
 | ROS-20251106-03 Множественные уязвимости rubygem-rack | CVSS3: 7.5 | 2 месяца назад |
Уязвимостей на страницу