CVE-2018-16470
rubygem-rack: Buffer size in multipart parser allows for denial of service
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
Hay una posible vulnerabilidad de denegación de servicio (DoS) en el analizador multiparte en Rack en versiones anteriores a la 2.0.6. Las peticiones especialmente manipuladas pueden provocar que el analizador multiparte entre en estado patológico, haciendo que emplee una cantidad de recursos de CPU desproporcionada al tamaño de la petición.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2018-09-04 CVE Reserved
- 2018-11-13 CVE Published
- 2024-08-05 CVE Updated
- 2024-09-22 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://groups.google.com/forum/#%21msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ | X_refsource_misc |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:3172 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2018-16470 | 2019-10-22 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1646814 | 2019-10-22 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Rack Project Search vendor "Rack Project" | Rack Search vendor "Rack Project" for product "Rack" | 2.0.4 Search vendor "Rack Project" for product "Rack" and version "2.0.4" | - |
Affected
| ||||||
| Rack Project Search vendor "Rack Project" | Rack Search vendor "Rack Project" for product "Rack" | 2.0.5 Search vendor "Rack Project" for product "Rack" and version "2.0.5" | - |
Affected
| ||||||