CVE-2024-26146 Possible Denial of Service Vulnerability in Rack Header Parsing

2024-02-2823:28:01

CWE-1333

GitHub_M

www.cve.org

vulnerability

denial of service

rack

header parsing

ruby 3.2

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.5 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.1%

JSON

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

CNA Affected

[
  {
    "vendor": "rack",
    "product": "rack",
    "versions": [
      {
        "version": ">= 3.0.0, < 3.0.9.1",
        "status": "affected"
      },
      {
        "version": ">= 2.2.0, < 2.2.8.1",
        "status": "affected"
      },
      {
        "version": ">= 2.1.0, < 2.1.4.4",
        "status": "affected"
      },
      {
        "version": "< 2.0.9.4",
        "status": "affected"
      }
    ]
  }
]