CVE-2024-25126

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462
https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49
https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
https://security.netapp.com/advisory/ntap-20240510-0005/
https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462
https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49
https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
https://security.netapp.com/advisory/ntap-20240510-0005/

Configurations

No configuration.

History

21 Nov 2024, 09:00

Type	Values Removed	Values Added
References	~~() https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941 -~~	() https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941 -
References	~~() https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462 -~~	() https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462 -
References	~~() https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 -~~	() https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49 -
References	~~() https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx -~~	() https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx -
References	~~() https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml -~~	() https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml -
References	~~() https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html -~~	() https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html -
References	~~() https://security.netapp.com/advisory/ntap-20240510-0005/ -~~	() https://security.netapp.com/advisory/ntap-20240510-0005/ -

10 Jun 2024, 18:15

Type	Values Removed	Values Added
References		() https://security.netapp.com/advisory/ntap-20240510-0005/ -

29 Apr 2024, 11:15

Type	Values Removed	Values Added
References		() https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html -
Summary		(es) Rack es una interfaz modular de servidor web Ruby. Los encabezados de tipo de contenido cuidadosamente elaborados pueden hacer que el analizador de tipo de medios de Rack demore mucho más de lo esperado, lo que lleva a una posible vulnerabilidad de denegación de servicio (polinomio de segundo grado de ReDos). Esta vulnerabilidad está parcheada en 3.0.9.1 y 2.2.8.1.

29 Feb 2024, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-02-29 00:15

Updated : 2024-11-21 09:00

NVD link : CVE-2024-25126

Mitre link : CVE-2024-25126

CVE.ORG link : CVE-2024-25126

JSON object : View

Products Affected

No product.

CWE

CWE-1333

Inefficient Regular Expression Complexity

5.3 /10