Denial Of Service (DoS) Infinite Loop

2019-01-1508:58:11

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:N/A:P

JSON

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

CPENameOperatorVersion
rubygem-rackeq1.3.0__1.el6
rubygem-rackeq1.1.0__2.el6
rubygem-rackeq1.3.0__2.el6
rubygem-rails_wardeneq0.5.5__1.el6
rubygem-delayed_jobeq2.1.4__1.el6
rubygem-activesupporteq3.0.10__5.el6cf
rubygem-activesupporteq3.0.10__3.el6
rubygem-activesupporteq3.0.10__9.el6cf
rubygem-activesupporteq3.0.10__7.el6cf
rubygem-activesupporteq3.0.10__4.el6cf

Name	Operator	Version
rubygem-rack	eq	1.3.0__1.el6
rubygem-rack	eq	1.1.0__2.el6
rubygem-rack	eq	1.3.0__2.el6
rubygem-rails_warden	eq	0.5.5__1.el6
rubygem-delayed_job	eq	2.1.4__1.el6
rubygem-activesupport	eq	3.0.10__5.el6cf
rubygem-activesupport	eq	3.0.10__3.el6
rubygem-activesupport	eq	3.0.10__9.el6cf
rubygem-activesupport	eq	3.0.10__7.el6cf
rubygem-activesupport	eq	3.0.10__4.el6cf