CVE-2023-27530

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
hackeroneCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
VendorProductVersion
rackrack
𝑥
< 2.0.9.3
rackrack
2.1.0 ≤
𝑥
< 2.1.4.3
rackrack
2.2.0 ≤
𝑥
< 2.2.6.3
rackrack
3.0.0 ≤
𝑥
< 3.0.4.2
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bullseye (security)
2.1.4-3+deb11u2
fixed
bullseye
2.1.4-3+deb11u2
fixed
bookworm
2.2.6.4-1+deb12u1
fixed
bookworm (security)
2.2.6.4-1+deb12u1
fixed
trixie
2.2.7-1.1
fixed
sid
2.2.7-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-rack
oracular
not-affected
noble
not-affected
mantic
Fixed 2.2.4-3ubuntu0.2
released
lunar
ignored
kinetic
ignored
jammy
Fixed 2.1.4-5ubuntu1.1
released
focal
Fixed 2.0.7-2ubuntu0.1+esm4
released
bionic
ignored
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0015/
https://www.debian.org/security/2023/dsa-5530
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0015/
https://www.debian.org/security/2023/dsa-5530