Package Instance

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-30122

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-30122

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://security.netapp.com/advisory/ntap-20231208-0012

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0012

reference_url

https://security.netapp.com/advisory/ntap-20231208-0012/

reference_id

reference_type

scores

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://security.netapp.com/advisory/ntap-20231208-0012/

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://github.com/advisories/GHSA-hxqx-xwvh-44m2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2099519
reference_id	2099519
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2099519

reference_url

reference_id

GHSA-hxqx-xwvh-44m2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hxqx-xwvh-44m2

reference_url	https://access.redhat.com/errata/RHSA-2022:7242
reference_id	RHSA-2022:7242
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7242

reference_url	https://access.redhat.com/errata/RHSA-2023:1486
reference_id	RHSA-2023:1486
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1486

reference_url	https://usn.ubuntu.com/5896-1/
reference_id	USN-5896-1
reference_type
scores
url	https://usn.ubuntu.com/5896-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

reference_url	https://usn.ubuntu.com/USN-5253-1/
reference_id	USN-USN-5253-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5253-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-30122, GHSA-hxqx-xwvh-44m2

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9smu-4k8c-3kh2

url VCID-f5ev-kfux-n7hj

vulnerability_id VCID-f5ev-kfux-n7hj

summary

Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series
    2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series
    2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series
    3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-44571

reference_id

reference_type

scores

value	0.02825
scoring_system	epss
scoring_elements	0.86412
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-44571

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-44571

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44570.json

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id	1029832
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164714
reference_id	2164714
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164714

reference_url	https://github.com/advisories/GHSA-93pm-5p5f-3ghx
reference_id	GHSA-93pm-5p5f-3ghx
reference_type
scores
url	https://github.com/advisories/GHSA-93pm-5p5f-3ghx

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/5910-1/
reference_id	USN-5910-1
reference_type
scores
url	https://usn.ubuntu.com/5910-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-3%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f5ev-kfux-n7hj

url VCID-h44h-uxra-83cs

vulnerability_id VCID-h44h-uxra-83cs

summary

Denial of service via header parsing in Rack
There is a possible denial of service vulnerability in the Range header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44570.

Versions Affected: >= 1.5.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.0.1
Impact

Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.0 series
    2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.1 series
    2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.2 series
    3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 3.0 series

references

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44570.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-44570

reference_id

reference_type

scores

value	0.03121
scoring_system	epss
scoring_elements	0.87067
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44570.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44570.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-44570

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-44570

reference_url

https://security.netapp.com/advisory/ntap-20231208-0010

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0010

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id	1029832
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164719
reference_id	2164719
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164719

reference_url	https://github.com/advisories/GHSA-65f5-mfpf-vfhj
reference_id	GHSA-65f5-mfpf-vfhj
reference_type
scores
url	https://github.com/advisories/GHSA-65f5-mfpf-vfhj

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/5910-1/
reference_id	USN-5910-1
reference_type
scores
url	https://usn.ubuntu.com/5910-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-3%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-44570, GHSA-65f5-mfpf-vfhj, GMS-2023-64

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h44h-uxra-83cs

url VCID-n3cc-pvr9-4bd5

vulnerability_id VCID-n3cc-pvr9-4bd5

summary

Possible Denial of Service Vulnerability in Rack's header parsing
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1

# Impact
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

# Workarounds
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

references

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-27539

reference_id

reference_type

scores

value	0.00364
scoring_system	epss
scoring_elements	0.58717
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-27539

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c

reference_url

https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml

reference_url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27539

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27539

reference_url

https://security.netapp.com/advisory/ntap-20231208-0016

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0016

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/advisories/GHSA-c6qg-cjj8-47qp

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
reference_id	1033264
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2179649
reference_id	2179649
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2179649

reference_url

reference_id

GHSA-c6qg-cjj8-47qp

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/advisories/GHSA-c6qg-cjj8-47qp

reference_url

https://security.netapp.com/advisory/ntap-20231208-0016/

reference_id

ntap-20231208-0016

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://security.netapp.com/advisory/ntap-20231208-0016/

reference_url	https://access.redhat.com/errata/RHSA-2023:1953
reference_id	RHSA-2023:1953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1953

reference_url	https://access.redhat.com/errata/RHSA-2023:1961
reference_id	RHSA-2023:1961
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1961

reference_url	https://access.redhat.com/errata/RHSA-2023:1981
reference_id	RHSA-2023:1981
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1981

reference_url	https://access.redhat.com/errata/RHSA-2023:2652
reference_id	RHSA-2023:2652
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2652

reference_url	https://access.redhat.com/errata/RHSA-2023:3082
reference_id	RHSA-2023:3082
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3082

reference_url	https://access.redhat.com/errata/RHSA-2023:3403
reference_id	RHSA-2023:3403
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3403

reference_url	https://access.redhat.com/errata/RHSA-2023:3495
reference_id	RHSA-2023:3495
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3495

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/6689-1/
reference_id	USN-6689-1
reference_type
scores
url	https://usn.ubuntu.com/6689-1/

reference_url	https://usn.ubuntu.com/6905-1/
reference_id	USN-6905-1
reference_type
scores
url	https://usn.ubuntu.com/6905-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n3cc-pvr9-4bd5

url VCID-ya57-9vg9-xka9

vulnerability_id VCID-ya57-9vg9-xka9

summary

Rack has possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27530.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27530.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-27530

reference_id

reference_type

scores

value	0.01982
scoring_system	epss
scoring_elements	0.83865
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml

reference_url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27530

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27530

reference_url

https://security.netapp.com/advisory/ntap-20231208-0015

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0015

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://security.netapp.com/advisory/ntap-20231208-0015/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032803
reference_id	1032803
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032803

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2176477
reference_id	2176477
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2176477

reference_url	https://github.com/advisories/GHSA-3h57-hmj3-gj3p
reference_id	GHSA-3h57-hmj3-gj3p
reference_type
scores
url	https://github.com/advisories/GHSA-3h57-hmj3-gj3p

reference_url

reference_id

ntap-20231208-0015

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://security.netapp.com/advisory/ntap-20231208-0015/

reference_url	https://access.redhat.com/errata/RHSA-2023:1961
reference_id	RHSA-2023:1961
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1961

reference_url	https://access.redhat.com/errata/RHSA-2023:1981
reference_id	RHSA-2023:1981
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1981

reference_url	https://access.redhat.com/errata/RHSA-2023:2652
reference_id	RHSA-2023:2652
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2652

reference_url	https://access.redhat.com/errata/RHSA-2023:3082
reference_id	RHSA-2023:3082
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3082

reference_url	https://access.redhat.com/errata/RHSA-2023:3403
reference_id	RHSA-2023:3403
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3403

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/6837-1/
reference_id	USN-6837-1
reference_type
scores
url	https://usn.ubuntu.com/6837-1/

reference_url	https://usn.ubuntu.com/6905-1/
reference_id	USN-6905-1
reference_type
scores
url	https://usn.ubuntu.com/6905-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2023-27530, GHSA-3h57-hmj3-gj3p, GMS-2023-663

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ya57-9vg9-xka9

url VCID-yu1h-8nr1-vfhu

vulnerability_id VCID-yu1h-8nr1-vfhu

summary rubygem-rack: crafted requests can cause shell escape sequences

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-30123

reference_id

reference_type

scores

value	0.02206
scoring_system	epss
scoring_elements	0.84713
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-30123

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-30123

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0011

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0011

reference_url	https://security.netapp.com/advisory/ntap-20231208-0011/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20231208-0011/

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-wq4h-7r42-5hrr

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2099524
reference_id	2099524
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2099524

reference_url

reference_id

GHSA-wq4h-7r42-5hrr

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wq4h-7r42-5hrr

reference_url	https://access.redhat.com/errata/RHSA-2022:7343
reference_id	RHSA-2022:7343
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7343

reference_url	https://access.redhat.com/errata/RHSA-2023:0632
reference_id	RHSA-2023:0632
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0632

reference_url	https://access.redhat.com/errata/RHSA-2023:1486
reference_id	RHSA-2023:1486
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1486

reference_url	https://usn.ubuntu.com/5896-1/
reference_id	USN-5896-1
reference_type
scores
url	https://usn.ubuntu.com/5896-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

reference_url	https://usn.ubuntu.com/USN-5253-1/
reference_id	USN-USN-5253-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5253-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-30123, GHSA-wq4h-7r42-5hrr

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yu1h-8nr1-vfhu

url VCID-zbqp-syvz-8bb5

vulnerability_id VCID-zbqp-syvz-8bb5

summary

Denial of service via multipart parsing in Rack
There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    2-0-Forbid-control-characters-in-attributes.patch - Patch for 2.0 series
    2-1-Forbid-control-characters-in-attributes.patch - Patch for 2.1 series
    2-2-Forbid-control-characters-in-attributes.patch - Patch for 2.2 series
    3-0-Forbid-control-characters-in-attributes.patch - Patch for 3.0 series

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-44572

reference_id

reference_type

scores

value	0.00255
scoring_system	epss
scoring_elements	0.4897
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml

reference_url

https://hackerone.com/reports/1639882

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1639882

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-44572

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-44572

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url