Rack@* Security Vulnerabilities and Issues — Rack@* CVE List

Lucene search

Rack ProjectRack*

11 matches found

CVE•added 2020/06/19 5:15 p.m.•330 views

CVE-2020-8184

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack

7.5CVSS5.9AI score0.00844EPSS

CVE•added 2022/12/05 10:15 p.m.•328 views

CVE-2022-30123

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and

10CVSS9.3AI score0.02263EPSS

CVE•added 2024/02/29 12:15 a.m.•315 views

CVE-2024-25126

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

7.5CVSS5.6AI score0.00253EPSS

CVE•added 2024/02/29 12:15 a.m.•312 views

CVE-2024-26141

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils...

7.5CVSS5.5AI score0.00253EPSS

CVE•added 2024/02/29 12:15 a.m.•312 views

CVE-2024-26146

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby...

7.5CVSS5.7AI score0.00572EPSS

CVE•added 2022/12/05 10:15 p.m.•295 views

CVE-2022-30122

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and

7.5CVSS8.1AI score0.00997EPSS

CVE•added 2020/07/02 7:15 p.m.•202 views

CVE-2020-8161

A directory traversal vulnerability exists in rack

8.6CVSS7.9AI score0.00368EPSS

CVE•added 2018/11/13 11:29 p.m.•201 views

CVE-2018-16471

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an X...

6.1CVSS5.7AI score0.00404EPSS

CVE•added 2015/07/26 10:59 p.m.•102 views

CVE-2015-3225

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.

5CVSS6.3AI score0.16342EPSS

CVE•added 2013/03/01 5:40 a.m.•77 views

CVE-2012-6109

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

4.3CVSS6.3AI score0.00828EPSS

CVE•added 2011/12/30 1:55 a.m.•58 views

CVE-2011-5036

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

5CVSS6.4AI score0.01278EPSS