CVE-2022-44571
09.02.2023, 20:15
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.Enginsight
| Vendor | Product | Version |
|---|---|---|
| rack | rack | 2.0.0 ≤ 𝑥 < 2.0.9.2 |
| rack | rack | 2.1.0 ≤ 𝑥 < 2.1.4.2 |
| rack | rack | 2.2.0 ≤ 𝑥 < 2.2.6.1 |
| rack | rack | 3.0.0.0 ≤ 𝑥 < 3.0.4.1 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ruby-rack |
|
Common Weakness Enumeration
- CWE-400 - Uncontrolled Resource ConsumptionThe software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
- CWE-1333 - Inefficient Regular Expression ComplexityThe product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
References