CVE-2022-44572

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
hackeroneCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
rackrack
𝑥
< 2.0.9.2
rackrack
2.1.0 ≤
𝑥
< 2.1.4.2
rackrack
2.2.0 ≤
𝑥
< 2.2.4.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bullseye (security)
2.1.4-3+deb11u2
fixed
bullseye
2.1.4-3+deb11u2
fixed
bookworm
2.2.6.4-1+deb12u1
fixed
bookworm (security)
2.2.6.4-1+deb12u1
fixed
sid
2.2.7-1.1
fixed
trixie
2.2.7-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-rack
noble
not-affected
mantic
not-affected
lunar
not-affected
kinetic
ignored
jammy
Fixed 2.1.4-5ubuntu1+esm3
released
focal
Fixed 2.0.7-2ubuntu0.1+esm3
released
bionic
not-affected
xenial
not-affected
trusty
not-affected
Common Weakness Enumeration
References
https://hackerone.com/reports/1639882
https://security.netapp.com/advisory/ntap-20231208-0014/
https://www.debian.org/security/2023/dsa-5530
https://hackerone.com/reports/1639882
https://security.netapp.com/advisory/ntap-20231208-0014/
https://www.debian.org/security/2023/dsa-5530