CVE-2023-27530

EUVD-2023-0850
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 83%
Affected Products (NVD)
VendorProductVersion
rackrack
𝑥
< 2.0.9.3
rackrack
2.1.0 ≤
𝑥
< 2.1.4.3
rackrack
2.2.0 ≤
𝑥
< 2.2.6.3
rackrack
3.0.0 ≤
𝑥
< 3.0.4.2
debiandebian_linux
10.0
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bookworm
2.2.6.4-1+deb12u1
fixed
bookworm (security)
2.2.6.4-1+deb12u1
fixed
bullseye
2.1.4-3+deb11u2
fixed
bullseye (security)
2.1.4-3+deb11u2
fixed
sid
2.2.7-1.1
fixed
trixie
2.2.7-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-rack
bionic
ignored
focal
Fixed 2.0.7-2ubuntu0.1+esm4
released
jammy
Fixed 2.1.4-5ubuntu1.1
released
kinetic
ignored
lunar
ignored
mantic
Fixed 2.2.4-3ubuntu0.2
released
noble
not-affected
oracular
not-affected
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0015/
https://www.debian.org/security/2023/dsa-5530
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0015/
https://www.debian.org/security/2023/dsa-5530