CVSS: 4.3EPSS: 1%CPEs: 25EXPL: 0CVE-2012-6109 – rubygem-rack: parsing Content-Disposition header DoS
https://notcve.org/view.php?id=CVE-2012-6109
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. lib/rack/multipart.rb en Rack anterior a v1.1.4 anterior a v1.1.5, v1.2.x anterior a v1.2.6, v1.3.x anterior a v1.3.7, y v1.4.x anterior a v1.4.2, emplea incorrectamente las expresiones regulares lo que permite a atacantes remotos provocar una denegación de servicio (bucle infinito) a través de una cabecera manipulada del tipo Content-Disposion. • http://rack.github.com http://rhn.redhat.com/errata/RHSA-2013-0544.html http://rhn.redhat.com/errata/RHSA-2013-0548.html https://bugzilla.redhat.com/show_bug.cgi?id=895277 https://github.com/rack/rack/blob/master/README.rdoc https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5 https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ https://access.redhat.com/security/cve/CVE-2012-6109 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVSS: 4.3EPSS: 1%CPEs: 23EXPL: 0CVE-2013-0184 – rubygem-rack: Rack::Auth:: AbstractRequest DoS
https://notcve.org/view.php?id=CVE-2013-0184
Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." Vulnerabilidad no especificada en Rack::Auth::AbstractRequest en Rack v1.1.x anterior a v1.1.5, v1.2.x anterior a v1.2.7, v1.3.x anterior a v1.3.9, y v1.4.x anterior a v1.4.4, permite a atacantes remotos provocar una denegación de servicio a través de vectores desconocidos relacionados con "symbolized arbitrary strings." • http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html http://rhn.redhat.com/errata/RHSA-2013-0544.html http://rhn.redhat.com/errata/RHSA-2013-0548.html http://www.debian.org/security/2013/dsa-2783 https://bugzilla.redhat.com/show_bug.cgi?id=895384 https://access.redhat.com/security/cve/CVE-2013-0184 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.0EPSS: 4%CPEs: 11EXPL: 0CVE-2013-0183 – rubygem-rack: receiving excessively long lines triggers out-of-memory error
https://notcve.org/view.php?id=CVE-2013-0183
multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. multipart/parser.rb de Rack v1.3.x antes de v1.3.8 y v1.4.x antes de v1.4.3 permite a atacantes remotos causar una denegación de servicios (consumo de memoria y accesos fuera de rango) usando un long string en un paquete Multipart HTTP. • http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html http://rack.github.com http://rhn.redhat.com/errata/RHSA-2013-0544.html http://rhn.redhat.com/errata/RHSA-2013-0548.html http://www.debian.org/security/2013/dsa-2783 https://bugzilla.redhat.com/show_bug.cgi?id=895282 https://github.com/rack/rack/commit/548b9af2dc0059f4c0c19728624448d84de450ff https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18 https://groups.google.com/forum/#%21topic/rack-devel/-M • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-400: Uncontrolled Resource Consumption •
CVSS: 5.1EPSS: 8%CPEs: 28EXPL: 0CVE-2013-0263 – rubygem-rack: Timing attack in cookie sessions
https://notcve.org/view.php?id=CVE-2013-0263
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. Rack::Sesión::Cookie en rack v1.5.x antes de v1.5.2, v1.4.x antes de v1.4.5, v1.3.x antes de v1.3.10, v1.2.x antes de v1.2.8, antes de v1.1.x y v1.1.6 permite atacantes remotos para adivinar la cookie de sesión, los privilegios de ganancia, y ejecutar código arbitrario a través de un ataque de sincronización que implica una función de comparación HMAC que no se ejecuta en tiempo constante. • http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html http://rack.github.com http://rhn.redhat.com/errata/RHSA-2013-0686.html http://secunia.com/advisories/52033 http://secunia.com/advisories/52134 http://secunia.com/advisories/52774 http://www.debian.org/security/2013/dsa-2783 http://www.osvdb.org/89939 https://bugzilla.redhat.com/show_bug.cgi?id=909071 https://gist.github.com/codahale/f9f3781f7b54985bee94 https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481 •