GitHub_MVULNRICHMENT:CVE-2024-26141CVE-2024-26141 Possible DoS Vulnerability with Range Header in Rack
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*"
],
"vendor": "rack_project",
"product": "rack",
"versions": [
{
"status": "affected",
"version": "3.0.0",
"lessThan": "3.0.9.1",
"versionType": "custom"
},
{
"status": "affected",
"version": "1.3.0",
"lessThan": "2.2.8.1",
"versionType": "custom"
}
],
"defaultStatus": "unknown"
}
]References
discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
lists.debian.org/debian-lts-announce/2024/04/msg00022.html
security.netapp.com/advisory/ntap-20240510-0007/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
AI Score
Confidence
High
SSVC
Exploitation
none
Automatable
yes
Technical Impact
partial