Lucene search

GitHub Advisory DatabaseGHSA-22F2-V57C-J9CX

HistoryFeb 28, 2024 - 10:57 p.m.

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

2024-02-2822:57:26

CWE-1333

GitHub Advisory Database

github.com

rack vulnerability

redos

content type parsing

server takeover

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.1

Confidence

High

EPSS

Percentile

10.3%

JSON

Summary

module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request["Content-Type"] = (" " * 50_000) + "a,"

Impact

It’s a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

Affected configurations

Vulners

Node

rackrackRange0.4–2.2.8.1

rackrackRange3.0.0–3.0.9.1

VendorProductVersionCPE
rackrack*cpe:2.3:a:rack:rack:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rack	rack	*	cpe:2.3:a:rack:rack::::::::

References

discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941

github.com/advisories/GHSA-22f2-v57c-j9cx

github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462

github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49

github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx

github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml

lists.debian.org/debian-lts-announce/2024/04/msg00022.html

nvd.nist.gov/vuln/detail/CVE-2024-25126

security.netapp.com/advisory/ntap-20240510-0005

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

5.1

Confidence

High

EPSS

Percentile

10.3%

JSON

Related for GHSA-22F2-V57C-J9CX