CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-27530 – rubygem-rack: Denial of service in Multipart MIME parsing
https://notcve.org/view.php?id=CVE-2023-27530
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of service. • https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388 https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html https://security.netapp.com/advisory/ntap-20231208-0015 https://www.debian.org/security/2023/dsa-5530 https://access.redhat.com/security/cve/CVE-2023-27530 https://bugzilla.redhat.com/show_bug.cgi?id=2176477 • CWE-20: Improper Input Validation CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2022-44572 – rubygem-rack: denial of service in Content-Disposition parsing
https://notcve.org/view.php?id=CVE-2022-44572
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. A flaw was found in rubygem-rack. Rack is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the multipart parsing component. By sending a specially-crafted input, a remote attacker can cause a denial of service. • https://hackerone.com/reports/1639882 https://security.netapp.com/advisory/ntap-20231208-0014 https://www.debian.org/security/2023/dsa-5530 https://access.redhat.com/security/cve/CVE-2022-44572 https://bugzilla.redhat.com/show_bug.cgi?id=2164722 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-44571 – rubygem-rack: denial of service in Content-Disposition parsing
https://notcve.org/view.php?id=CVE-2022-44571
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. A flaw was found in rubygem-rack. • https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126 https://security.netapp.com/advisory/ntap-20231208-0013 https://www.debian.org/security/2023/dsa-5530 https://access.redhat.com/security/cve/CVE-2022-44571 https://bugzilla.redhat.com/show_bug.cgi?id=2164714 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2022-44570 – rubygem-rack: denial of service in Content-Disposition parsing
https://notcve.org/view.php?id=CVE-2022-44570
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. A flaw was found in rubygem-rack. Rack is vulnerable to a denial of service caused by a regular expression denial of service (ReDoS) flaw in the Rack::Utils.get_byte_ranges function. • https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125 https://security.netapp.com/advisory/ntap-20231208-0010 https://www.debian.org/security/2023/dsa-5530 https://access.redhat.com/security/cve/CVE-2022-44570 https://bugzilla.redhat.com/show_bug.cgi?id=2164719 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-30123 – rubygem-rack: crafted requests can cause shell escape sequences
https://notcve.org/view.php?id=CVE-2022-30123
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. Existe una vulnerabilidad de inyección de secuencia en Rack <2.0.9.1, <2.1.4.1 y <2.2.3.1 que podría permitir un posible escape de shell en los componentes Lint y CommonLogger de Rack. A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal. • https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728 https://security.gentoo.org/glsa/202310-18 https://security.netapp.com/advisory/ntap-20231208-0011 https://www.debian.org/security/2023/dsa-5530 https://access.redhat.com/security/cve/CVE-2022-30123 https://bugzilla.redhat.com/show_bug.cgi?id=2099524 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences CWE-179: Incorrect Behavior Order: Early Validation •