CVE-2024-25126
Rack ReDos in content type parsing (2nd degree polynomial)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
Rack es una interfaz modular de servidor web Ruby. Los encabezados de tipo de contenido cuidadosamente elaborados pueden hacer que el analizador de tipo de medios de Rack demore mucho más de lo esperado, lo que lleva a una posible vulnerabilidad de denegación de servicio (polinomio de segundo grado de ReDos). Esta vulnerabilidad está parcheada en 3.0.9.1 y 2.2.8.1.
A denial of service (DoS) vulnerability was found in rubygem-rack in how it parses Content-Type. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-02-05 CVE Reserved
- 2024-02-28 CVE Published
- 2024-04-30 EPSS Updated
- 2024-08-12 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (9)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-25126 | 2024-05-28 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2265593 | 2024-05-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rack Search vendor "Rack" | Rack Search vendor "Rack" for product "Rack" | >= 3.0.0.0 < 3.0.9.1 Search vendor "Rack" for product "Rack" and version " >= 3.0.0.0 < 3.0.9.1" | en |
Affected
| ||||||
Rack Search vendor "Rack" | Rack Search vendor "Rack" for product "Rack" | >= 0.4.0.0 < 2.2.8.1 Search vendor "Rack" for product "Rack" and version " >= 0.4.0.0 < 2.2.8.1" | en |
Affected
|