CVE-2024-26141
Possible DoS Vulnerability with Range Header in Rack
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
Rack es una interfaz modular de servidor web Ruby. Los encabezados de rango cuidadosamente elaborados pueden hacer que un servidor responda con una respuesta inesperadamente grande. Responder con respuestas tan amplias podría dar lugar a un problema de denegación de servicio. Las aplicaciones vulnerables utilizarán el middleware `Rack::File` o los métodos `Rack::Utils.byte_ranges` (esto incluye aplicaciones Rails). La vulnerabilidad se solucionó en 3.0.9.1 y 2.2.8.1.
A denial of service (DoS) vulnerability was found in rubygem-rack in how it parses Range Header. Carefully crafted range headers can cause a server to respond with an unexpectedly large response. Responding with large responses could lead to a denial of service issue.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2024-02-14 CVE Reserved
- 2024-02-28 CVE Published
- 2024-04-30 EPSS Updated
- 2024-08-28 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-400: Uncontrolled Resource Consumption
- CWE-1333: Inefficient Regular Expression Complexity
CAPEC
References (9)
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2024-26141 | 2024-05-28 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2265594 | 2024-05-28 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Rack Search vendor "Rack" | Rack Search vendor "Rack" for product "Rack" | >= 3.0.0.0 < 3.0.9.1 Search vendor "Rack" for product "Rack" and version " >= 3.0.0.0 < 3.0.9.1" | en |
Affected
| ||||||
Rack Search vendor "Rack" | Rack Search vendor "Rack" for product "Rack" | >= 1.3.0.0 < 2.2.8.1 Search vendor "Rack" for product "Rack" and version " >= 1.3.0.0 < 2.2.8.1" | en |
Affected
|