
CVE-2013-0184 – rubygem-rack: Rack::Auth:: AbstractRequest DoS
https://notcve.org/view.php?id=CVE-2013-0184
01 Mar 2013 — Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." Vulnerabilidad no especificada en Rack::Auth::AbstractRequest en Rack v1.1.x anterior a v1.1.5, v1.2.x anterior a v1.2.7, v1.3.x anterior a v1.3.9, y v1.4.x anterior a v1.4.4, permite a atacantes remotos provocar una denegación de servicio a través... • http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html • CWE-400: Uncontrolled Resource Consumption •

CVE-2012-6109 – rubygem-rack: parsing Content-Disposition header DoS
https://notcve.org/view.php?id=CVE-2012-6109
01 Mar 2013 — lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. lib/rack/multipart.rb en Rack anterior a v1.1.4 anterior a v1.1.5, v1.2.x anterior a v1.2.6, v1.3.x anterior a v1.3.7, y v1.4.x anterior a v1.4.2, emplea incorrectamente las expresiones regulares lo que permite a atacantes remotos provocar una denegaci... • http://rack.github.com • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •

CVE-2013-0262 – rubygem-rack: Path sanitization information disclosure
https://notcve.org/view.php?id=CVE-2013-0262
08 Feb 2013 — rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." rack/file.rb (Rack::File) en Rack v1.5.x anterior a v1.5.2 y v1.4.x anterior a v1.4.5 permite a atacantes acceder a ficheros arbitrarios fuera del directorio raiz mediante una variable de entorno PATH_INFO... • http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVE-2013-0263 – rubygem-rack: Timing attack in cookie sessions
https://notcve.org/view.php?id=CVE-2013-0263
08 Feb 2013 — Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. Rack::Sesión::Cookie en rack v1.5.x antes de v1.5.2, v1.4.x antes de v1.4.5, v1.3.x antes de v1.3.10, v1.2.x antes de v1.2.8, antes de v1.1.x y v1.1.6 permite atacantes remotos para adivi... • http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html •

CVE-2011-5036 – Debian Security Advisory 2783-2
https://notcve.org/view.php?id=CVE-2011-5036
30 Dec 2011 — Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Rack anterior a v1.1.3, v1.2.x anterior a v1.2.5, v1.3.6 y v1.3.x calcula los valores hash de los parámetros de forma, sin restringir la capacidad de desencadenar colisiones hash predecible, lo que permite a atacantes remoto... • http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html • CWE-310: Cryptographic Issues •