CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
13.0%
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
The fixed releases are available at the normal locations.
There are no feasible workarounds for this issue.
To aid users who aren’t able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
Thanks to svalkanov for reporting this and
providing patches!
discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
github.com/rack/rack
github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
nvd.nist.gov/vuln/detail/CVE-2024-26146
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
13.0%