CVE-2024-35231

2024-05-2717:15:09

CWE-770

GitHub_M

web.nvd.nist.gov

rack-contrib

denial of service

vulnerability

patch

version 2.5.0

nvd

CVSS3

8.6

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

AI Score

6.5

Confidence

High

EPSS

Percentile

9.0%

JSON

rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data profiler_runs was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.

Affected configurations

Vulners

Vulnrichment

Node

rackrack_contribRange<2.5.0

VendorProductVersionCPE
rackrack_contrib*cpe:2.3:a:rack:rack_contrib:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rack	rack_contrib	*	cpe:2.3:a:rack:rack_contrib::::::::

CNA Affected

[
  {
    "vendor": "rack",
    "product": "rack-contrib",
    "versions": [
      {
        "version": "< 2.5.0",
        "status": "affected"
      }
    ]
  }
]