CVE-2023-27530

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
rackrack
𝑥
< 2.0.9.3
rackrack
2.1.0 ≤
𝑥
< 2.1.4.3
rackrack
2.2.0 ≤
𝑥
< 2.2.6.3
rackrack
3.0.0 ≤
𝑥
< 3.0.4.2
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bookworm
2.2.6.4-1+deb12u1
fixed
bookworm (security)
2.2.6.4-1+deb12u1
fixed
bullseye
2.1.4-3+deb11u2
fixed
bullseye (security)
2.1.4-3+deb11u2
fixed
sid
2.2.7-1.1
fixed
trixie
2.2.7-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-rack
bionic
ignored
focal
Fixed 2.0.7-2ubuntu0.1+esm4
released
jammy
Fixed 2.1.4-5ubuntu1.1
released
kinetic
ignored
lunar
ignored
mantic
Fixed 2.2.4-3ubuntu0.2
released
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
rmt-server
suse enterprise sap 15 SP4
2.13-150400.3.12.1
fixed
suse enterprise sap 15 SP5
2.13-150500.3.3.1
fixed
suse enterprise sap 15 SP6
2.13-150500.3.3.1
fixed
suse enterprise sap 15 SP7
2.21-150700.1.21
fixed
suse enterprise server 15 SP1
2.13-150100.3.45.1
fixed
suse enterprise server 15 SP2
2.13-150200.3.32.1
fixed
suse enterprise server 15 SP3
2.13-150300.3.24.1
fixed
suse enterprise server 15 SP4
2.13-150400.3.12.1
fixed
suse enterprise server 15 SP5
2.13-150500.3.3.1
fixed
suse enterprise server 15 SP6
2.13-150500.3.3.1
fixed
suse enterprise server 15 SP7
2.21-150700.1.21
fixed
rmt-server-config
suse enterprise sap 15 SP4
2.13-150400.3.12.1
fixed
suse enterprise sap 15 SP5
2.13-150500.3.3.1
fixed
suse enterprise sap 15 SP6
2.13-150500.3.3.1
fixed
suse enterprise sap 15 SP7
2.21-150700.1.21
fixed
suse enterprise server 15 SP1
2.13-150100.3.45.1
fixed
suse enterprise server 15 SP2
2.13-150200.3.32.1
fixed
suse enterprise server 15 SP3
2.13-150300.3.24.1
fixed
suse enterprise server 15 SP4
2.13-150400.3.12.1
fixed
suse enterprise server 15 SP5
2.13-150500.3.3.1
fixed
suse enterprise server 15 SP6
2.13-150500.3.3.1
fixed
suse enterprise server 15 SP7
2.21-150700.1.21
fixed
rmt-server-pubcloud
suse enterprise server 15 SP4
2.13-150400.3.12.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
pcs
RHEL 8
0:0.10.15-4.el8_8.1
fixed
RHEL 8.4 AUS
0:0.10.8-1.el8_4.4
fixed
RHEL 8.4 E4S
0:0.10.8-1.el8_4.4
fixed
RHEL 8.4 EUS
0:0.10.8-1.el8_4.4
fixed
RHEL 8.4 TUS
0:0.10.8-1.el8_4.4
fixed
RHEL 8.6 AUS
0:0.10.12-6.el8_6.4
fixed
RHEL 8.6 E4S
0:0.10.12-6.el8_6.4
fixed
RHEL 8.6 EUS
0:0.10.12-6.el8_6.4
fixed
RHEL 8.6 TUS
0:0.10.12-6.el8_6.4
fixed
RHEL 8.8 AUS
0:0.10.15-4.el8_8.1
fixed
RHEL 8.8 E4S
0:0.10.15-4.el8_8.1
fixed
RHEL 8.8 EUS
0:0.10.15-4.el8_8.1
fixed
RHEL 8.8 TUS
0:0.10.15-4.el8_8.1
fixed
RHEL 9
0:0.11.4-7.el9_2
fixed
pcs-snmp
RHEL 8
0:0.10.15-4.el8_8.1
fixed
RHEL 8.4 AUS
0:0.10.8-1.el8_4.4
fixed
RHEL 8.4 E4S
0:0.10.8-1.el8_4.4
fixed
RHEL 8.4 EUS
0:0.10.8-1.el8_4.4
fixed
RHEL 8.4 TUS
0:0.10.8-1.el8_4.4
fixed
RHEL 8.6 AUS
0:0.10.12-6.el8_6.4
fixed
RHEL 8.6 E4S
0:0.10.12-6.el8_6.4
fixed
RHEL 8.6 EUS
0:0.10.12-6.el8_6.4
fixed
RHEL 8.6 TUS
0:0.10.12-6.el8_6.4
fixed
RHEL 8.8 AUS
0:0.10.15-4.el8_8.1
fixed
RHEL 8.8 E4S
0:0.10.15-4.el8_8.1
fixed
RHEL 8.8 EUS
0:0.10.15-4.el8_8.1
fixed
RHEL 8.8 TUS
0:0.10.15-4.el8_8.1
fixed
RHEL 9
0:0.11.4-7.el9_2
fixed
Common Weakness Enumeration
References
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0015/
https://www.debian.org/security/2023/dsa-5530
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0015/
https://www.debian.org/security/2023/dsa-5530