Lucene search

K

[email protected]NVD:CVE-2024-25126

HistoryFeb 29, 2024 - 12:15 a.m.

CVE-2024-25126

2024-02-2900:15:51

CWE-1333

[email protected]

web.nvd.nist.gov

5

rack web server interface; media type parser; vulnerability; patched version; denial of service; redos 2nd degree polynomial

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

References

discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941

github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462

github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49

github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx

github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml

lists.debian.org/debian-lts-announce/2024/04/msg00022.html

security.netapp.com/advisory/ntap-20240510-0005/

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

5.2 Medium

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

Related for NVD:CVE-2024-25126

redhatcve1 debiancve1 cvelist1 cve1 ubuntucve1 prion1 osv8 hackerone1 cgr1 wolfi1 veracode1 github1 rubygems1 nessus19 redhat8 oraclelinux2 rocky1 openvas5 mageia1 debian2 amazon1 almalinux2 redos1 ubuntu1