Lucene search

K
osvGoogleOSV:DSA-2783-1
HistoryOct 21, 2013 - 12:00 a.m.

librack-ruby - several

2013-10-2100:00:00
Google
osv.dev
17

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.084 Low

EPSS

Percentile

94.4%

Several vulnerabilities were discovered in Rack, a modular Ruby
webserver interface. The Common Vulnerabilites and Exposures project
identifies the following vulnerabilities:

  • CVE-2011-5036
    Rack computes hash values for form parameters without restricting
    the ability to trigger hash collisions predictably, which allows
    remote attackers to cause a denial of service (CPU consumption)
    by sending many crafted parameters.
  • CVE-2013-0183
    A remote attacker could cause a denial of service (memory
    consumption and out-of-memory error) via a long string in a
    Multipart HTTP packet.
  • CVE-2013-0184
    A vulnerability in Rack::Auth::AbstractRequest allows remote
    attackers to cause a denial of service via unknown vectors.
  • CVE-2013-0263
    Rack::Session::Cookie allows remote attackers to guess the
    session cookie, gain privileges, and execute arbitrary code via a
    timing attack involving an HMAC comparison function that does not
    run in constant time.

For the oldstable distribution (squeeze), these problems have been fixed in
version 1.1.0-4+squeeze1.

The stable, testing and unstable distributions do not contain the
librack-ruby package. They have already been addressed in version
1.4.1-2.1 of the ruby-rack package.

We recommend that you upgrade your librack-ruby packages.

CPENameOperatorVersion
librack-rubyeq1.1.0-4

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.084 Low

EPSS

Percentile

94.4%