Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
rubygemsRubySecRUBY:RACK-2024-25126
HistoryFeb 20, 2024 - 9:00 p.m.

Denial of Service Vulnerability in Rack Content-Type Parsing

2024-02-2021:00:00
RubySec
discuss.rubyonrails.org
11
denial of service
vulnerability
rack
content-type parsing
cve-2024-25126
media type parser
upgrade

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

High

EPSS

0

Percentile

10.3%

JSON

There is a possible denial of service vulnerability in the content type
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2024-25126.

Versions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted content type headers can cause Rack’s media type parser to
take much longer than expected, leading to a possible denial of service
vulnerability.

Impacted code will use Rack’s media type parser to parse content type headers.
This code will look like below:

request.media_type

## OR
request.media_type_params

## OR
Rack::MediaType.type(content_type)

Some frameworks (including Rails) call this code internally, so upgrading is
recommended!

All users running an affected release should either upgrade or use one of the
workarounds immediately.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Affected configurations

Vulners
Node
rubyrackRange2.2.0–2.2.8.1
OR
rubyrackRange≀3.0.9.1
VendorProductVersionCPE
rubyrack*cpe:2.3:a:ruby:rack:*:*:*:*:*:*:*:*

Related

debiancve 1
cvelist 1
redhatcve 1
cve 1
veracode 1
osv 17
github 1
cgr 1
vulnrichment 1
wolfi 1
nvd 1
hackerone 1
prion 1
ubuntucve 1
nessus 21
redhat 8
redos 1
amazon 1
almalinux 2
debian 2
openvas 6
rocky 1
oraclelinux 2
mageia 1
ubuntu 2
debiancve
debiancve
CVE-2024-25126
2024-02-29 00:15:51
cvelist
cvelist
CVE-2024-25126 Rack ReDos in content type parsing (2nd degree polynomial)
2024-02-28 23:28:07
redhatcve
redhatcve
CVE-2024-25126
2024-02-23 03:01:38
cve
cve
CVE-2024-25126
2024-02-29 00:15:51
veracode
veracode
Regular Expression Denial Of Service (ReDoS)
2024-02-28 08:16:50
osv
osv
CGA-6jhx-xgjg-cx6p
2024-06-06 12:23:10
CGA-x8gc-x5hw-p9g9
2024-06-06 12:26:34
Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
2024-02-28 22:57:26
github
github
Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
2024-02-28 22:57:26
cgr
cgr
CVE-2024-25126 vulnerabilities
2024-05-19 03:07:16
vulnrichment
vulnrichment
CVE-2024-25126 Rack ReDos in content type parsing (2nd degree polynomial)
2024-02-28 23:28:07
wolfi
wolfi
CVE-2024-25126 vulnerabilities
2024-09-27 09:13:12
nvd
nvd
CVE-2024-25126
2024-02-29 00:15:51
hackerone
hackerone
Internet Bug Bounty: [CVE-2024-25126] Denial of Service Vulnerability in Rack Content-Type Parsing
2024-04-03 21:32:58
prion
prion
Design/Logic Flaw
2024-02-29 00:15:00
ubuntucve
ubuntucve
CVE-2024-25126
2024-02-29 00:00:00
nessus
nessus
Rocky Linux 8 : pcs (RLSA-2024:2953)
2024-06-14 00:00:00
RHEL 8 : pcs (RHSA-2024:2953)
2024-05-23 00:00:00
Debian dla-3800 : ruby-rack - security update
2024-04-29 00:00:00
redhat
redhat
(RHSA-2024:2007) Moderate: pcs security update
2024-04-23 16:20:34
(RHSA-2024:2113) Moderate: pcs security update
2024-04-30 06:14:46
(RHSA-2024:1846) Moderate: pcs security update
2024-04-16 15:03:20
redos
redos
ROS-20240508-01
2024-05-08 00:00:00
amazon
amazon
Medium: pcs
2024-03-13 20:26:00
almalinux
almalinux
Moderate: pcs security update
2024-04-30 00:00:00
Moderate: pcs security update
2024-05-22 00:00:00
debian
debian
[SECURITY] [DLA 3800-1] ruby-rack security update
2024-04-29 09:44:25
[SECURITY] [DSA 5698-1] ruby-rack security update
2024-05-24 16:43:43
openvas
openvas
Debian: Security Advisory (DLA-3800-1)
2024-04-30 00:00:00
Mageia: Security Advisory (MGASA-2024-0123)
2024-04-15 00:00:00
Debian: Security Advisory (DSA-5698-1)
2024-05-27 00:00:00
rocky
rocky
pcs security update
2024-06-14 13:59:33
oraclelinux
oraclelinux
pcs security update
2024-05-23 00:00:00
pcs security update
2024-05-02 00:00:00
mageia
mageia
Updated ruby-rack packages fix security vulnerabilities
2024-04-12 23:45:19
ubuntu
ubuntu
Rack vulnerabilities
2024-08-19 00:00:00
Rack vulnerabilities
2024-06-17 00:00:00

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

AI Score

7.1

Confidence

High

EPSS

0

Percentile

10.3%

JSON
Related for RUBY:RACK-2024-25126
debiancve1cvelist1redhatcve1cve1veracode1osv17github1cgr1vulnrichment1wolfi1nvd1hackerone1prion1ubuntucve1nessus21redhat8redos1amazon1almalinux2debian2openvas6rocky1oraclelinux2mageia1ubuntu2