CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 0CVE-2022-30123 – rubygem-rack: crafted requests can cause shell escape sequences
https://notcve.org/view.php?id=CVE-2022-30123
03 Nov 2022 — A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. Existe una vulnerabilidad de inyección de secuencia en Rack <2.0.9.1, <2.1.4.1 y <2.2.3.1 que podría permitir un posible escape de shell en los componentes Lint y CommonLogger de Rack. A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to... • https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences CWE-179: Incorrect Behavior Order: Early Validation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-30122 – rubygem-rack: crafted multipart POST request may cause a DoS
https://notcve.org/view.php?id=CVE-2022-30122
31 Oct 2022 — A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. Existe una posible vulnerabilidad de Denegación de Servicio (DoS) en Rack <2.0.9.1, <2.1.4.1 y <2.2.3.1 en el componente de análisis multiparte de Rack. A denial of service flaw was found in ruby-rack. An attacker crafting multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a denial of service. It was discovered tha... • https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2020-8161 – rubygem-rack: directory traversal in Rack::Directory
https://notcve.org/view.php?id=CVE-2020-8161
02 Jul 2020 — A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. Se presenta una vulnerabilidad de salto de directorio en rack versiones anteriores a 2.2.0, que permite a un atacante realizar una vulnerabilidad de salto de directorio en la aplicación Rack::Directory que esta incorporada con Rack, lo que podría resultar en una divulgación de informació... • https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-548: Exposure of Information Through Directory Listing •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2020-8184 – rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
https://notcve.org/view.php?id=CVE-2020-8184
19 Jun 2020 — A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. Se presenta una dependencia de las cookies sin vulnerabilidad de seguridad de control de validación e integridad en rack versiones anteriores a 2.2.3, rack versiones anteriores a 2.1.4, que hace posible a un atacante forjar un prefijo de cookie seguro o solo de host A flaw was found in rubygem-rack. An att... • https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak • CWE-20: Improper Input Validation CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision CWE-807: Reliance on Untrusted Inputs in a Security Decision •