13 matches found
CVE-2022-30123
Rack contains a sequence injection vulnerability (CVE-2022-30123) affecting Rack <2.0.9.1, <2.1.4.1, and
CVE-2022-30122
CVE-2022-30122 affects Rack’s multipart parsing in Rack <2.0.9.1, <2.1.4.1 and
CVE-2020-8184
The CVE-2020-8184 entry concerns a vulnerability in rack where a reliance on cookies without validation or integrity checks allows forging a secure or host-only cookie prefix. Affected are rack versions older than 2.2.3 and older than 2.1.4. The underlying issue is insufficient cookie validation/...
CVE-2020-8161
Summary of risk : CVE-2020-8161 is a directory-traversal vulnerability in Rack (
CVE-2018-16471
CVE-2018-16471 (Rack XSS) Affected: Rack up to versions before 2.0.6 and 1.6.11. Issue: crafted requests can affect Rack::Request.scheme return value, enabling cross-site scripting if the value is not escaped by the app. Impact: potential XSS in apps that rely on Rack::Request.scheme without esca...
CVE-2018-16470
CVE-2018-16470 affects the Rack web framework: a vulnerability in the multipart parser in Rack prior to 2.0.6 can cause a denial of service by a specially crafted request, forcing disproportionate CPU usage. The issue is tied to the multipart parser’s handling, leading to potential resource exhau...
CVE-2015-3225
CVE-2015-3225: Rack (lib/rack/utils.rb) before 1.5.4 and 1.6.x before 1.6.2 allows remote abuse via requests with very large parameter depth, causing SystemStackError DoS. Public references confirm this is a vulnerability in Rack used with Rails 3.x/4.x. Remediation in public advisories: upgrade ...
CVE-2013-0262
CVE-2013-0262 affects Rack’s Rack::File in Rack 1.5.x (before 1.5.2) and 1.4.x (before 1.4.5). A crafted PATH_INFO can cause a directory traversal, allowing an attacker to access arbitrary files outside the intended root. Root cause: improper PATH_INFO handling in Rack::File (symlink path travers...
CVE-2013-0183
Rack multipart parser vulnerability (CVE-2013-0183) affects Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3. An attacker can send a long string in a Multipart HTTP packet to cause memory consumption or an out-of-memory denial of service. Existence of exploit details is not provided in the supplied...
CVE-2013-0263
CVE-2013-0263 is a timing-attack vulnerability in Rack::Session::Cookie that allows remote attackers to guess the session cookie, potentially gain privileges, and execute arbitrary code. It affects Rack versions prior to patched releases: 1.5.2 (1.5.x), 1.4.5 (1.4.x), 1.3.10 (1.3.x), 1.2.8 (1.2.x...
CVE-2012-6109
Rack vulnerability CVE-2012-6109: DoS via crafted Content-Disposition header due to an incorrect regular expression in Rack’s multipart header parser. Affected: Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2. Impact: potential infinite loop/DoS. Mitigation: upgr...
CVE-2013-0184
CVE-2013-0184 affects Rack’s Rack::Auth::AbstractRequest. The vulnerability allows remote denial of service via unknown vectors related to symbolized arbitrary strings. Affected Rack versions: 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4. Remediation is to up...
CVE-2011-5036
Rack (Ruby web server interface) vulnerability CVE-2011-5036: hash parameter processing in Rack allows attackers to trigger hash collisions and cause CPU-based denial of service. Affected versions include Rack 1.x up to 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6. Root cause is predictable ...