CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-27456
https://notcve.org/view.php?id=CVE-2024-27456
26 Feb 2024 — rack-cors (aka Rack CORS Middleware) 2.0.1 has 0666 permissions for the .rb files. rack-cors (también conocido como Rack CORS Middleware) 2.0.1 tiene permisos 0666 para los archivos .rb. • https://github.com/cyu/rack-cors/issues/274 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.8EPSS: 5%CPEs: 6EXPL: 0CVE-2023-27530 – rubygem-rack: Denial of service in Multipart MIME parsing
https://notcve.org/view.php?id=CVE-2023-27530
10 Mar 2023 — A DoS vulnerability exists in Rack
CVSS: 7.8EPSS: 2%CPEs: 4EXPL: 0CVE-2022-44570 – rubygem-rack: denial of service in Content-Disposition parsing
https://notcve.org/view.php?id=CVE-2022-44570
09 Feb 2023 — A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. A flaw was found in rubygem-rack. Rack is vulnerable to a denial of service caused by a regular expression denial of ... • https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 2%CPEs: 4EXPL: 0CVE-2022-44571 – rubygem-rack: denial of service in Content-Disposition parsing
https://notcve.org/view.php?id=CVE-2022-44571
09 Feb 2023 — There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. A flaw was foun... • https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-44572 – rubygem-rack: denial of service in Content-Disposition parsing
https://notcve.org/view.php?id=CVE-2022-44572
09 Feb 2023 — A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. A flaw was found in rubygem-rack. Rack is vulnerable to a denial of service caused by a regul... • https://hackerone.com/reports/1639882 • CWE-400: Uncontrolled Resource Consumption CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 10.0EPSS: 1%CPEs: 4EXPL: 0CVE-2022-30123 – rubygem-rack: crafted requests can cause shell escape sequences
https://notcve.org/view.php?id=CVE-2022-30123
03 Nov 2022 — A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. Existe una vulnerabilidad de inyección de secuencia en Rack <2.0.9.1, <2.1.4.1 y <2.2.3.1 que podría permitir un posible escape de shell en los componentes Lint y CommonLogger de Rack. A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to... • https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728 • CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences CWE-179: Incorrect Behavior Order: Early Validation •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-30122 – rubygem-rack: crafted multipart POST request may cause a DoS
https://notcve.org/view.php?id=CVE-2022-30122
31 Oct 2022 — A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. Existe una posible vulnerabilidad de Denegación de Servicio (DoS) en Rack <2.0.9.1, <2.1.4.1 y <2.2.3.1 en el componente de análisis multiparte de Rack. A denial of service flaw was found in ruby-rack. An attacker crafting multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a denial of service. It was discovered tha... • https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 8.6EPSS: 0%CPEs: 4EXPL: 0CVE-2020-8161 – rubygem-rack: directory traversal in Rack::Directory
https://notcve.org/view.php?id=CVE-2020-8161
02 Jul 2020 — A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. Se presenta una vulnerabilidad de salto de directorio en rack versiones anteriores a 2.2.0, que permite a un atacante realizar una vulnerabilidad de salto de directorio en la aplicación Rack::Directory que esta incorporada con Rack, lo que podría resultar en una divulgación de informació... • https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-548: Exposure of Information Through Directory Listing •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2020-8184 – rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
https://notcve.org/view.php?id=CVE-2020-8184
19 Jun 2020 — A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. Se presenta una dependencia de las cookies sin vulnerabilidad de seguridad de control de validación e integridad en rack versiones anteriores a 2.2.3, rack versiones anteriores a 2.1.4, que hace posible a un atacante forjar un prefijo de cookie seguro o solo de host A flaw was found in rubygem-rack. An att... • https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak • CWE-20: Improper Input Validation CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision CWE-807: Reliance on Untrusted Inputs in a Security Decision •
CVSS: 6.3EPSS: 1%CPEs: 4EXPL: 0CVE-2019-16782 – Possible Information Leak / Session Hijack Vulnerability in Rack
https://notcve.org/view.php?id=CVE-2019-16782
18 Dec 2019 — There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hi... • http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •