Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/64279?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/64279?format=api", "purl": "pkg:gem/rack@3.0.0", "type": "gem", "namespace": "", "name": "rack", "version": "3.0.0", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.0.4.1", "latest_non_vulnerable_version": "3.2.5", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47151?format=api", "vulnerability_id": "VCID-52qe-dast-tkhu", "summary": "Rack Header Parsing leads to Possible Denial of Service Vulnerability\n# Possible Denial of Service Vulnerability in Rack Header Parsing\n\nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\nImpact\n------\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. Accept and Forwarded\nheaders are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2\nor newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 2-0-header-redos.patch - Patch for 2.0 series\n* 2-1-header-redos.patch - Patch for 2.1 series\n* 2-2-header-redos.patch - Patch for 2.2 series\n* 3-0-header-redos.patch - Patch for 3.0 series\n\nCredits\n-------\n\nThanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and\nproviding patches!", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716" }, { "reference_url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582" }, { "reference_url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f" }, { "reference_url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146", "reference_id": "CVE-2024-26146", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml", "reference_id": "CVE-2024-26146.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml" }, { "reference_url": "https://github.com/advisories/GHSA-54rr-7fvw-6x8f", "reference_id": "GHSA-54rr-7fvw-6x8f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-54rr-7fvw-6x8f" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f", "reference_id": "GHSA-54rr-7fvw-6x8f", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-26146", "GHSA-54rr-7fvw-6x8f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-52qe-dast-tkhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44670?format=api", "vulnerability_id": "VCID-bqpn-m2fh-9kab", "summary": "Possible Denial of Service Vulnerability in Rack’s header parsing\nThere is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27539", "reference_id": "CVE-2023-27539", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27539" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml", "reference_id": "CVE-2023-27539.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml" }, { "reference_url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp", "reference_id": "GHSA-c6qg-cjj8-47qp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64318?format=api", "purl": "pkg:gem/rack@3.0.6.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1" } ], "aliases": [ "CVE-2023-27539", "GHSA-c6qg-cjj8-47qp", "GMS-2023-769" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bqpn-m2fh-9kab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47156?format=api", "vulnerability_id": "VCID-heu4-cd3d-73ck", "summary": "Rack has possible DoS Vulnerability with Range Header\n# Possible DoS Vulnerability with Range Header in Rack\n\nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0.\nNot affected: < 1.3.0\nFixed Versions: 3.0.9.1, 2.2.8.1\n\nImpact\n------\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 3-0-range.patch - Patch for 3.0 series\n* 2-2-range.patch - Patch for 2.2 series\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and\npatch", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9" }, { "reference_url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141", "reference_id": "CVE-2024-26141", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml", "reference_id": "CVE-2024-26141.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml" }, { "reference_url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-26141", "GHSA-xj5v-6v4g-jfw6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-heu4-cd3d-73ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47152?format=api", "vulnerability_id": "VCID-yq3g-ykeu-pfbp", "summary": "Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)\n### Summary\n\n```ruby\nmodule Rack\n class MediaType\n SPLIT_PATTERN = %r{\\s*[;,]\\s*}\n```\n\nThe above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.\n\n### PoC\n\nA simple HTTP request with lots of blank characters in the content-type header:\n\n```ruby\nrequest[\"Content-Type\"] = (\" \" * 50_000) + \"a,\"\n```\n\n### Impact\n\nIt's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462" }, { "reference_url": "https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25126", "reference_id": "CVE-2024-25126", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25126" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml", "reference_id": "CVE-2024-25126.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml" }, { "reference_url": "https://github.com/advisories/GHSA-22f2-v57c-j9cx", "reference_id": "GHSA-22f2-v57c-j9cx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-22f2-v57c-j9cx" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx", "reference_id": "GHSA-22f2-v57c-j9cx", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-25126", "GHSA-22f2-v57c-j9cx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yq3g-ykeu-pfbp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/44647?format=api", "vulnerability_id": "VCID-zqax-g5xz-wuch", "summary": "Rack has possible DoS Vulnerability in Multipart MIME parsing\nThere is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.\n\nVersions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3\n\n# Impact\nThe Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n# Workarounds\nA proxy can be configured to limit the POST body size which will mitigate this issue.", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27530", "reference_id": "CVE-2023-27530", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27530" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml", "reference_id": "CVE-2023-27530.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml" }, { "reference_url": "https://github.com/advisories/GHSA-3h57-hmj3-gj3p", "reference_id": "GHSA-3h57-hmj3-gj3p", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-3h57-hmj3-gj3p" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64283?format=api", "purl": "pkg:gem/rack@3.0.4.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.2" } ], "aliases": [ "CVE-2023-27530", "GHSA-3h57-hmj3-gj3p", "GMS-2023-663" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zqax-g5xz-wuch" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0" }