CVE-2022-44572

EUVD-2023-0547
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 52%
Affected Products (NVD)
VendorProductVersion
rackrack
𝑥
< 2.0.9.2
rackrack
2.1.0 ≤
𝑥
< 2.1.4.2
rackrack
2.2.0 ≤
𝑥
< 2.2.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bookworm
2.2.6.4-1+deb12u1
fixed
bookworm (security)
2.2.6.4-1+deb12u1
fixed
bullseye
2.1.4-3+deb11u2
fixed
bullseye (security)
2.1.4-3+deb11u2
fixed
sid
2.2.7-1.1
fixed
trixie
2.2.7-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-rack
bionic
not-affected
focal
Fixed 2.0.7-2ubuntu0.1+esm3
released
jammy
Fixed 2.1.4-5ubuntu1+esm3
released
kinetic
ignored
lunar
not-affected
mantic
not-affected
noble
not-affected
trusty
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://hackerone.com/reports/1639882
https://security.netapp.com/advisory/ntap-20231208-0014/
https://www.debian.org/security/2023/dsa-5530
https://hackerone.com/reports/1639882
https://security.netapp.com/advisory/ntap-20231208-0014/
https://www.debian.org/security/2023/dsa-5530