Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rack@2.0.0
Typegem
Namespace
Namerack
Version2.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.2.22
Latest_non_vulnerable_version3.2.6
Affected_by_vulnerabilities
0
url VCID-9xy8-h3y1-mubv
vulnerability_id VCID-9xy8-h3y1-mubv
summary 
Cross-site Scripting
There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to HTTP or HTTPS and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not be impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html
1
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
2
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16471.json
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16471.json
3
reference_url https://api.first.org/data/v1/epss?cve=CVE-2018-16471
reference_id
reference_type
scores
0
value 0.00299
scoring_system epss
scoring_elements 0.53283
published_at 2026-04-11T12:55:00Z
1
value 0.00299
scoring_system epss
scoring_elements 0.53232
published_at 2026-04-09T12:55:00Z
2
value 0.00299
scoring_system epss
scoring_elements 0.53238
published_at 2026-04-08T12:55:00Z
3
value 0.00299
scoring_system epss
scoring_elements 0.53185
published_at 2026-04-07T12:55:00Z
4
value 0.00299
scoring_system epss
scoring_elements 0.53217
published_at 2026-04-04T12:55:00Z
5
value 0.00299
scoring_system epss
scoring_elements 0.53193
published_at 2026-04-02T12:55:00Z
6
value 0.00299
scoring_system epss
scoring_elements 0.53169
published_at 2026-04-01T12:55:00Z
7
value 0.00299
scoring_system epss
scoring_elements 0.5329
published_at 2026-04-16T12:55:00Z
8
value 0.00299
scoring_system epss
scoring_elements 0.53252
published_at 2026-04-13T12:55:00Z
9
value 0.00299
scoring_system epss
scoring_elements 0.53296
published_at 2026-04-18T12:55:00Z
10
value 0.00299
scoring_system epss
scoring_elements 0.53269
published_at 2026-04-12T12:55:00Z
11
value 0.00829
scoring_system epss
scoring_elements 0.74558
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2018-16471
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471
5
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
6
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml
8
reference_url https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag
9
reference_url https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3
scoring_elements
1
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o
10
reference_url https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html
11
reference_url https://usn.ubuntu.com/4089-1
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://usn.ubuntu.com/4089-1
12
reference_url https://usn.ubuntu.com/4089-1/
reference_id
reference_type
scores
url https://usn.ubuntu.com/4089-1/
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1646818
reference_id 1646818
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1646818
14
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005
reference_id 913005
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2018-16471
reference_id CVE-2018-16471
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2018-16471
16
reference_url https://github.com/advisories/GHSA-5r2p-j47h-mhpg
reference_id GHSA-5r2p-j47h-mhpg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-5r2p-j47h-mhpg
fixed_packages
0
url pkg:gem/rack@2.0.6
purl pkg:gem/rack@2.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-6c1k-vgv4-93ad
2
vulnerability VCID-7p12-ejdu-uqgy
3
vulnerability VCID-7wvj-9h3p-23am
4
vulnerability VCID-7zgg-tvu3-r7gt
5
vulnerability VCID-8zkw-y3yd-yuft
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-fpg2-nhey-rkcc
13
vulnerability VCID-gdhf-e8q1-kbat
14
vulnerability VCID-gtzk-m9rm-57hw
15
vulnerability VCID-npag-sz7d-v7b6
16
vulnerability VCID-qt1u-2p37-xfet
17
vulnerability VCID-s971-gkdg-jkhc
18
vulnerability VCID-skxv-7he3-xqgc
19
vulnerability VCID-udc4-7jnt-y3fu
20
vulnerability VCID-vkrw-y1j6-6fe7
21
vulnerability VCID-w732-52bx-2qf8
22
vulnerability VCID-wt7k-s1yd-nke6
23
vulnerability VCID-xazq-qrm1-9ff6
24
vulnerability VCID-xkah-9nv9-wufd
25
vulnerability VCID-xnz5-gv2x-17bk
26
vulnerability VCID-yw62-qbkq-9ygq
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.6
aliases CVE-2018-16471, GHSA-5r2p-j47h-mhpg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9xy8-h3y1-mubv
1
url VCID-c21j-snf1-d3cb
vulnerability_id VCID-c21j-snf1-d3cb
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-44572
reference_id
reference_type
scores
0
value 0.00234
scoring_system epss
scoring_elements 0.46307
published_at 2026-04-21T12:55:00Z
1
value 0.00262
scoring_system epss
scoring_elements 0.4954
published_at 2026-04-04T12:55:00Z
2
value 0.00262
scoring_system epss
scoring_elements 0.49513
published_at 2026-04-02T12:55:00Z
3
value 0.00275
scoring_system epss
scoring_elements 0.50986
published_at 2026-04-11T12:55:00Z
4
value 0.00275
scoring_system epss
scoring_elements 0.50991
published_at 2026-04-18T12:55:00Z
5
value 0.00275
scoring_system epss
scoring_elements 0.50985
published_at 2026-04-16T12:55:00Z
6
value 0.00275
scoring_system epss
scoring_elements 0.50948
published_at 2026-04-13T12:55:00Z
7
value 0.00275
scoring_system epss
scoring_elements 0.50964
published_at 2026-04-12T12:55:00Z
8
value 0.00298
scoring_system epss
scoring_elements 0.53184
published_at 2026-04-09T12:55:00Z
9
value 0.00298
scoring_system epss
scoring_elements 0.53138
published_at 2026-04-07T12:55:00Z
10
value 0.00298
scoring_system epss
scoring_elements 0.53192
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-44572
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
9
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
10
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
11
reference_url https://github.com/rack/rack/releases/tag/v3.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/releases/tag/v3.0.4.1
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml
13
reference_url https://hackerone.com/reports/1639882
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1639882
14
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5530
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id 1029832
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164722
reference_id 2164722
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164722
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-44572
reference_id CVE-2022-44572
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-44572
18
reference_url https://github.com/advisories/GHSA-rqv2-275x-2jq5
reference_id GHSA-rqv2-275x-2jq5
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rqv2-275x-2jq5
19
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
20
reference_url https://usn.ubuntu.com/5910-1/
reference_id USN-5910-1
reference_type
scores
url https://usn.ubuntu.com/5910-1/
21
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@2.0.9.2
purl pkg:gem/rack@2.0.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c21j-snf1-d3cb
8
vulnerability VCID-c5sc-7qnn-mkb9
9
vulnerability VCID-d58r-22kr-9bct
10
vulnerability VCID-fpg2-nhey-rkcc
11
vulnerability VCID-gdhf-e8q1-kbat
12
vulnerability VCID-gtzk-m9rm-57hw
13
vulnerability VCID-npag-sz7d-v7b6
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-vkrw-y1j6-6fe7
17
vulnerability VCID-w732-52bx-2qf8
18
vulnerability VCID-wt7k-s1yd-nke6
19
vulnerability VCID-xazq-qrm1-9ff6
20
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2
1
url pkg:gem/rack@2.1.4.2
purl pkg:gem/rack@2.1.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c21j-snf1-d3cb
8
vulnerability VCID-c5sc-7qnn-mkb9
9
vulnerability VCID-d58r-22kr-9bct
10
vulnerability VCID-fpg2-nhey-rkcc
11
vulnerability VCID-gdhf-e8q1-kbat
12
vulnerability VCID-gtzk-m9rm-57hw
13
vulnerability VCID-npag-sz7d-v7b6
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-vkrw-y1j6-6fe7
17
vulnerability VCID-w732-52bx-2qf8
18
vulnerability VCID-wt7k-s1yd-nke6
19
vulnerability VCID-xazq-qrm1-9ff6
20
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2
2
url pkg:gem/rack@2.2.5
purl pkg:gem/rack@2.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-6c1k-vgv4-93ad
2
vulnerability VCID-7p12-ejdu-uqgy
3
vulnerability VCID-7wvj-9h3p-23am
4
vulnerability VCID-7zgg-tvu3-r7gt
5
vulnerability VCID-9rpp-9xss-duf6
6
vulnerability VCID-arac-j5h5-zkcu
7
vulnerability VCID-azu5-jcmd-3ufx
8
vulnerability VCID-c21j-snf1-d3cb
9
vulnerability VCID-c5sc-7qnn-mkb9
10
vulnerability VCID-d58r-22kr-9bct
11
vulnerability VCID-fpg2-nhey-rkcc
12
vulnerability VCID-gdhf-e8q1-kbat
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-npag-sz7d-v7b6
15
vulnerability VCID-s971-gkdg-jkhc
16
vulnerability VCID-skxv-7he3-xqgc
17
vulnerability VCID-vkrw-y1j6-6fe7
18
vulnerability VCID-w732-52bx-2qf8
19
vulnerability VCID-wt7k-s1yd-nke6
20
vulnerability VCID-xazq-qrm1-9ff6
21
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.5
3
url pkg:gem/rack@2.2.6.1
purl pkg:gem/rack@2.2.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-6c1k-vgv4-93ad
2
vulnerability VCID-7p12-ejdu-uqgy
3
vulnerability VCID-7wvj-9h3p-23am
4
vulnerability VCID-7zgg-tvu3-r7gt
5
vulnerability VCID-9rpp-9xss-duf6
6
vulnerability VCID-arac-j5h5-zkcu
7
vulnerability VCID-azu5-jcmd-3ufx
8
vulnerability VCID-c21j-snf1-d3cb
9
vulnerability VCID-c5sc-7qnn-mkb9
10
vulnerability VCID-d58r-22kr-9bct
11
vulnerability VCID-fpg2-nhey-rkcc
12
vulnerability VCID-gdhf-e8q1-kbat
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-npag-sz7d-v7b6
15
vulnerability VCID-s971-gkdg-jkhc
16
vulnerability VCID-skxv-7he3-xqgc
17
vulnerability VCID-vkrw-y1j6-6fe7
18
vulnerability VCID-w732-52bx-2qf8
19
vulnerability VCID-wt7k-s1yd-nke6
20
vulnerability VCID-xazq-qrm1-9ff6
21
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1
4
url pkg:gem/rack@3.0.4.1
purl pkg:gem/rack@3.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-fpg2-nhey-rkcc
10
vulnerability VCID-gtzk-m9rm-57hw
11
vulnerability VCID-npag-sz7d-v7b6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-w732-52bx-2qf8
15
vulnerability VCID-wt7k-s1yd-nke6
16
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1
aliases CVE-2022-44572, GHSA-rqv2-275x-2jq5, GMS-2023-66
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c21j-snf1-d3cb
2
url VCID-vkrw-y1j6-6fe7
vulnerability_id VCID-vkrw-y1j6-6fe7
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-44571
reference_id
reference_type
scores
0
value 0.02882
scoring_system epss
scoring_elements 0.86313
published_at 2026-04-21T12:55:00Z
1
value 0.03289
scoring_system epss
scoring_elements 0.87172
published_at 2026-04-04T12:55:00Z
2
value 0.03289
scoring_system epss
scoring_elements 0.87155
published_at 2026-04-02T12:55:00Z
3
value 0.03631
scoring_system epss
scoring_elements 0.87822
published_at 2026-04-08T12:55:00Z
4
value 0.03631
scoring_system epss
scoring_elements 0.87846
published_at 2026-04-18T12:55:00Z
5
value 0.03631
scoring_system epss
scoring_elements 0.87847
published_at 2026-04-16T12:55:00Z
6
value 0.03631
scoring_system epss
scoring_elements 0.87833
published_at 2026-04-13T12:55:00Z
7
value 0.03631
scoring_system epss
scoring_elements 0.87835
published_at 2026-04-12T12:55:00Z
8
value 0.03631
scoring_system epss
scoring_elements 0.87841
published_at 2026-04-11T12:55:00Z
9
value 0.03631
scoring_system epss
scoring_elements 0.87829
published_at 2026-04-09T12:55:00Z
10
value 0.03631
scoring_system epss
scoring_elements 0.87801
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-44571
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
9
reference_url https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
12
reference_url https://github.com/rack/rack/releases/tag/v3.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/releases/tag/v3.0.4.1
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml
14
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5530
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id 1029832
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164714
reference_id 2164714
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164714
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-44571
reference_id CVE-2022-44571
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-44571
18
reference_url https://github.com/advisories/GHSA-93pm-5p5f-3ghx
reference_id GHSA-93pm-5p5f-3ghx
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-93pm-5p5f-3ghx
19
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
20
reference_url https://usn.ubuntu.com/5910-1/
reference_id USN-5910-1
reference_type
scores
url https://usn.ubuntu.com/5910-1/
21
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@2.0.9.2
purl pkg:gem/rack@2.0.9.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c21j-snf1-d3cb
8
vulnerability VCID-c5sc-7qnn-mkb9
9
vulnerability VCID-d58r-22kr-9bct
10
vulnerability VCID-fpg2-nhey-rkcc
11
vulnerability VCID-gdhf-e8q1-kbat
12
vulnerability VCID-gtzk-m9rm-57hw
13
vulnerability VCID-npag-sz7d-v7b6
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-vkrw-y1j6-6fe7
17
vulnerability VCID-w732-52bx-2qf8
18
vulnerability VCID-wt7k-s1yd-nke6
19
vulnerability VCID-xazq-qrm1-9ff6
20
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2
1
url pkg:gem/rack@2.1.4.2
purl pkg:gem/rack@2.1.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c21j-snf1-d3cb
8
vulnerability VCID-c5sc-7qnn-mkb9
9
vulnerability VCID-d58r-22kr-9bct
10
vulnerability VCID-fpg2-nhey-rkcc
11
vulnerability VCID-gdhf-e8q1-kbat
12
vulnerability VCID-gtzk-m9rm-57hw
13
vulnerability VCID-npag-sz7d-v7b6
14
vulnerability VCID-s971-gkdg-jkhc
15
vulnerability VCID-skxv-7he3-xqgc
16
vulnerability VCID-vkrw-y1j6-6fe7
17
vulnerability VCID-w732-52bx-2qf8
18
vulnerability VCID-wt7k-s1yd-nke6
19
vulnerability VCID-xazq-qrm1-9ff6
20
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2
2
url pkg:gem/rack@2.2.6.1
purl pkg:gem/rack@2.2.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-6c1k-vgv4-93ad
2
vulnerability VCID-7p12-ejdu-uqgy
3
vulnerability VCID-7wvj-9h3p-23am
4
vulnerability VCID-7zgg-tvu3-r7gt
5
vulnerability VCID-9rpp-9xss-duf6
6
vulnerability VCID-arac-j5h5-zkcu
7
vulnerability VCID-azu5-jcmd-3ufx
8
vulnerability VCID-c21j-snf1-d3cb
9
vulnerability VCID-c5sc-7qnn-mkb9
10
vulnerability VCID-d58r-22kr-9bct
11
vulnerability VCID-fpg2-nhey-rkcc
12
vulnerability VCID-gdhf-e8q1-kbat
13
vulnerability VCID-gtzk-m9rm-57hw
14
vulnerability VCID-npag-sz7d-v7b6
15
vulnerability VCID-s971-gkdg-jkhc
16
vulnerability VCID-skxv-7he3-xqgc
17
vulnerability VCID-vkrw-y1j6-6fe7
18
vulnerability VCID-w732-52bx-2qf8
19
vulnerability VCID-wt7k-s1yd-nke6
20
vulnerability VCID-xazq-qrm1-9ff6
21
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1
3
url pkg:gem/rack@3.0.4.1
purl pkg:gem/rack@3.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-fpg2-nhey-rkcc
10
vulnerability VCID-gtzk-m9rm-57hw
11
vulnerability VCID-npag-sz7d-v7b6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-w732-52bx-2qf8
15
vulnerability VCID-wt7k-s1yd-nke6
16
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1
aliases CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vkrw-y1j6-6fe7
3
url VCID-xkah-9nv9-wufd
vulnerability_id VCID-xkah-9nv9-wufd
summary 
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27539
reference_id
reference_type
scores
0
value 0.00328
scoring_system epss
scoring_elements 0.55815
published_at 2026-04-04T12:55:00Z
1
value 0.00328
scoring_system epss
scoring_elements 0.55793
published_at 2026-04-02T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.56406
published_at 2026-04-16T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56374
published_at 2026-04-13T12:55:00Z
4
value 0.00335
scoring_system epss
scoring_elements 0.56392
published_at 2026-04-12T12:55:00Z
5
value 0.00335
scoring_system epss
scoring_elements 0.56416
published_at 2026-04-11T12:55:00Z
6
value 0.00335
scoring_system epss
scoring_elements 0.56377
published_at 2026-04-21T12:55:00Z
7
value 0.00335
scoring_system epss
scoring_elements 0.56407
published_at 2026-04-18T12:55:00Z
8
value 0.00364
scoring_system epss
scoring_elements 0.58481
published_at 2026-04-08T12:55:00Z
9
value 0.00364
scoring_system epss
scoring_elements 0.58428
published_at 2026-04-07T12:55:00Z
10
value 0.00364
scoring_system epss
scoring_elements 0.58487
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27539
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
9
reference_url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
12
reference_url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
13
reference_url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
14
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
15
reference_url https://security.netapp.com/advisory/ntap-20231208-0016
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231208-0016
16
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://www.debian.org/security/2023/dsa-5530
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
reference_id 1033264
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
reference_id 2179649
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
reference_id CVE-2023-27539
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
reference_id CVE-2023-27539.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
21
reference_url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
reference_id GHSA-c6qg-cjj8-47qp
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
22
reference_url https://security.netapp.com/advisory/ntap-20231208-0016/
reference_id ntap-20231208-0016
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://security.netapp.com/advisory/ntap-20231208-0016/
23
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
24
reference_url https://access.redhat.com/errata/RHSA-2023:1961
reference_id RHSA-2023:1961
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1961
25
reference_url https://access.redhat.com/errata/RHSA-2023:1981
reference_id RHSA-2023:1981
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1981
26
reference_url https://access.redhat.com/errata/RHSA-2023:2652
reference_id RHSA-2023:2652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2652
27
reference_url https://access.redhat.com/errata/RHSA-2023:3082
reference_id RHSA-2023:3082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3082
28
reference_url https://access.redhat.com/errata/RHSA-2023:3403
reference_id RHSA-2023:3403
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3403
29
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
30
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
31
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
32
reference_url https://usn.ubuntu.com/6905-1/
reference_id USN-6905-1
reference_type
scores
url https://usn.ubuntu.com/6905-1/
33
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@2.2.6.4
purl pkg:gem/rack@2.2.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-gdhf-e8q1-kbat
10
vulnerability VCID-gtzk-m9rm-57hw
11
vulnerability VCID-npag-sz7d-v7b6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-w732-52bx-2qf8
15
vulnerability VCID-wt7k-s1yd-nke6
16
vulnerability VCID-xazq-qrm1-9ff6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4
1
url pkg:gem/rack@3.0.6.1
purl pkg:gem/rack@3.0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-gtzk-m9rm-57hw
10
vulnerability VCID-npag-sz7d-v7b6
11
vulnerability VCID-s971-gkdg-jkhc
12
vulnerability VCID-skxv-7he3-xqgc
13
vulnerability VCID-w732-52bx-2qf8
14
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1
aliases CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xkah-9nv9-wufd
4
url VCID-yw62-qbkq-9ygq
vulnerability_id VCID-yw62-qbkq-9ygq
summary 
Possible Information Leak / Session Hijack Vulnerability in Rack
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

### Impact

The session id stored in a cookie is the same id that is used when querying the backing session storage engine.  Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id.  By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.

## Releases

The 1.6.12 and 2.0.8 releases are available at the normal locations.

### Workarounds

There are no known workarounds.

### Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 1-6-session-timing-attack.patch - Patch for 1.6 series
* 2-0-session-timing-attack.patch - Patch for 2.6 series

### Credits

Thanks Will Leinweber for reporting this!
references
0
reference_url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
1
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2019-16782
reference_id
reference_type
scores
0
value 0.00892
scoring_system epss
scoring_elements 0.75593
published_at 2026-04-21T12:55:00Z
1
value 0.01251
scoring_system epss
scoring_elements 0.79345
published_at 2026-04-12T12:55:00Z
2
value 0.01251
scoring_system epss
scoring_elements 0.79357
published_at 2026-04-18T12:55:00Z
3
value 0.01251
scoring_system epss
scoring_elements 0.79361
published_at 2026-04-16T12:55:00Z
4
value 0.01251
scoring_system epss
scoring_elements 0.79334
published_at 2026-04-13T12:55:00Z
5
value 0.01251
scoring_system epss
scoring_elements 0.7936
published_at 2026-04-11T12:55:00Z
6
value 0.01251
scoring_system epss
scoring_elements 0.79336
published_at 2026-04-09T12:55:00Z
7
value 0.01251
scoring_system epss
scoring_elements 0.79327
published_at 2026-04-08T12:55:00Z
8
value 0.01251
scoring_system epss
scoring_elements 0.79301
published_at 2026-04-07T12:55:00Z
9
value 0.01251
scoring_system epss
scoring_elements 0.79315
published_at 2026-04-04T12:55:00Z
10
value 0.01251
scoring_system epss
scoring_elements 0.79291
published_at 2026-04-02T12:55:00Z
11
value 0.01251
scoring_system epss
scoring_elements 0.79285
published_at 2026-04-01T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2019-16782
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
4
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
5
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
6
reference_url https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
7
reference_url https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3
scoring_elements
1
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml
9
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
10
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2019-16782
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2019-16782
12
reference_url http://www.openwall.com/lists/oss-security/2019/12/18/2
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/12/18/2
13
reference_url http://www.openwall.com/lists/oss-security/2019/12/18/3
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/12/18/3
14
reference_url http://www.openwall.com/lists/oss-security/2019/12/19/3
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2019/12/19/3
15
reference_url http://www.openwall.com/lists/oss-security/2020/04/08/1
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2020/04/08/1
16
reference_url http://www.openwall.com/lists/oss-security/2020/04/09/2
reference_id
reference_type
scores
0
value 6.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2020/04/09/2
17
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=1789100
reference_id 1789100
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=1789100
18
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983
reference_id 946983
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983
19
reference_url https://github.com/advisories/GHSA-hrqr-hxpp-chr3
reference_id GHSA-hrqr-hxpp-chr3
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hrqr-hxpp-chr3
20
reference_url https://access.redhat.com/errata/RHSA-2020:2480
reference_id RHSA-2020:2480
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:2480
21
reference_url https://access.redhat.com/errata/RHSA-2020:4366
reference_id RHSA-2020:4366
reference_type
scores
url https://access.redhat.com/errata/RHSA-2020:4366
22
reference_url https://access.redhat.com/errata/RHSA-2021:1313
reference_id RHSA-2021:1313
reference_type
scores
url https://access.redhat.com/errata/RHSA-2021:1313
23
reference_url https://usn.ubuntu.com/USN-5253-1/
reference_id USN-USN-5253-1
reference_type
scores
url https://usn.ubuntu.com/USN-5253-1/
fixed_packages
0
url pkg:gem/rack@2.0.8
purl pkg:gem/rack@2.0.8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-6c1k-vgv4-93ad
2
vulnerability VCID-7p12-ejdu-uqgy
3
vulnerability VCID-7wvj-9h3p-23am
4
vulnerability VCID-7zgg-tvu3-r7gt
5
vulnerability VCID-8zkw-y3yd-yuft
6
vulnerability VCID-9rpp-9xss-duf6
7
vulnerability VCID-arac-j5h5-zkcu
8
vulnerability VCID-azu5-jcmd-3ufx
9
vulnerability VCID-c21j-snf1-d3cb
10
vulnerability VCID-c5sc-7qnn-mkb9
11
vulnerability VCID-d58r-22kr-9bct
12
vulnerability VCID-fpg2-nhey-rkcc
13
vulnerability VCID-gdhf-e8q1-kbat
14
vulnerability VCID-gtzk-m9rm-57hw
15
vulnerability VCID-npag-sz7d-v7b6
16
vulnerability VCID-qt1u-2p37-xfet
17
vulnerability VCID-s971-gkdg-jkhc
18
vulnerability VCID-skxv-7he3-xqgc
19
vulnerability VCID-udc4-7jnt-y3fu
20
vulnerability VCID-vkrw-y1j6-6fe7
21
vulnerability VCID-w732-52bx-2qf8
22
vulnerability VCID-wt7k-s1yd-nke6
23
vulnerability VCID-xazq-qrm1-9ff6
24
vulnerability VCID-xkah-9nv9-wufd
25
vulnerability VCID-xnz5-gv2x-17bk
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.8
aliases CVE-2019-16782, GHSA-hrqr-hxpp-chr3
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yw62-qbkq-9ygq
Fixing_vulnerabilities
Risk_score3.4
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.0