CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
AI Score
Confidence
High
rack-contrib prior to version 2.5.0 is vulnerable to a Denial of Service
via the profiler_runs
HTTP request parameter.
Versions Affected: < 2.5.0
Fixed Versions: >= 2.5.0
An attacker can trigger a Denial of Service by sending an HTTP request with
an overly large profiler_runs
parameter.
curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"
The fixed releases are available at the normal locations.
There are no feasible workarounds for this issue.
Vendor | Product | Version | CPE |
---|---|---|---|
ruby | rack-contrib | * | cpe:2.3:a:ruby:rack-contrib:*:*:*:*:*:*:*:* |