Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:RACK-2018-16470
HistoryNov 04, 2018 - 9:00 p.m.

Possible DoS vulnerability in Rack

2018-11-0421:00:00
RubySec
rubysec.com
6
JSON

There is a possible DoS vulnerability in the multipart parser in Rack. This
vulnerability has been assigned the CVE identifier CVE-2018-16470.

Versions Affected: 2.0.4, 2.0.5
Not affected: <= 2.0.3
Fixed Versions: 2.0.6

Impact

There is a possible DoS vulnerability in the multipart parser in Rack.
Carefully crafted requests can cause the multipart parser to enter a
pathological state, causing the parser to use CPU resources disproportionate to
the request size.

Impacted code can look something like this:

Rack::Request.new(env).params

But any code that uses the multi-part parser may be vulnerable.

Rack users that have manually adjusted the buffer size in the multipart parser
may be vulnerable as well.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The 2.0.6 release is available at the normal locations.

Workarounds

To work around this issue, the following code can be used:

require "rack/multipart/parser"

Rack::Multipart::Parser.send :remove_const, :BUFSIZE
Rack::Multipart::Parser.const_set :BUFSIZE, 16384
CPENameOperatorVersion
rackle2.0.3
racklt2.0.6

Related

osv 2
debiancve 1
redhatcve 1
prion 1
hackerone 1
ubuntucve 1
cve 1
github 1
veracode 1
nessus 5
openvas 4
fedora 2
suse 1
redhat 1
osv
osv
Rack vulnerable to Denial of Service
2018-11-15 15:58:58
CVE-2018-16470
2018-11-13 23:29:00
debiancve
debiancve
CVE-2018-16470
2018-11-13 23:29:00
redhatcve
redhatcve
CVE-2018-16470
2020-01-10 15:34:40
prion
prion
Design/Logic Flaw
2018-11-13 23:29:00
hackerone
hackerone
Ruby on Rails: Specially constructed multi-part requests cause multi-second response times; vulnerable to DoS
2018-10-31 00:31:56
ubuntucve
ubuntucve
CVE-2018-16470
2018-11-13 00:00:00
cve
cve
CVE-2018-16470
2018-11-13 23:29:00
github
github
Rack vulnerable to Denial of Service
2018-11-15 15:58:58
veracode
veracode
Denial Of Service (DoS)
2018-11-07 02:07:19
nessus
nessus
Fedora 29 : 1:rubygem-rack (2018-e8ff8b7f8e)
2019-01-03 00:00:00
Fedora 28 : 1:rubygem-rack (2018-02e965a729)
2019-01-03 00:00:00
SUSE SLES15 Security Update : rmt-server (SUSE-SU-2019:0272-1)
2019-02-07 00:00:00
openvas
openvas
Fedora Update for rubygem-rack FEDORA-2018-02e965a729
2018-12-04 00:00:00
Fedora Update for rubygem-rack FEDORA-2018-e8ff8b7f8e
2019-05-07 00:00:00
openSUSE: Security Advisory for rmt-server (openSUSE-SU-2019:0185-1)
2019-02-15 00:00:00
fedora
fedora
[SECURITY] Fedora 28 Update: rubygem-rack-2.0.4-4.fc28
2018-11-28 02:46:19
[SECURITY] Fedora 29 Update: rubygem-rack-2.0.4-4.fc29
2018-11-28 02:43:12
suse
suse
Security update for rmt-server (moderate)
2019-02-14 00:00:00
redhat
redhat
(RHSA-2019:3172) Moderate: Red Hat Satellite 6 security, bug fix, and enhancement update
2019-10-22 12:34:42
JSON
Related for RUBY:RACK-2018-16470
osv2debiancve1redhatcve1prion1hackerone1ubuntucve1cve1github1veracode1nessus5openvas4fedora2suse1redhat1