Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/69188?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "type": "gem", "namespace": "", "name": "rack", "version": "3.0.9.1", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "3.1.17", "latest_non_vulnerable_version": "3.2.5", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47151?format=api", "vulnerability_id": "VCID-52qe-dast-tkhu", "summary": "Rack Header Parsing leads to Possible Denial of Service Vulnerability\n# Possible Denial of Service Vulnerability in Rack Header Parsing\n\nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\nImpact\n------\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. Accept and Forwarded\nheaders are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2\nor newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 2-0-header-redos.patch - Patch for 2.0 series\n* 2-1-header-redos.patch - Patch for 2.1 series\n* 2-2-header-redos.patch - Patch for 2.2 series\n* 3-0-header-redos.patch - Patch for 3.0 series\n\nCredits\n-------\n\nThanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and\nproviding patches!", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716" }, { "reference_url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582" }, { "reference_url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f" }, { "reference_url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146", "reference_id": "CVE-2024-26146", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml", "reference_id": "CVE-2024-26146.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml" }, { "reference_url": "https://github.com/advisories/GHSA-54rr-7fvw-6x8f", "reference_id": "GHSA-54rr-7fvw-6x8f", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-54rr-7fvw-6x8f" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f", "reference_id": "GHSA-54rr-7fvw-6x8f", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69191?format=api", "purl": "pkg:gem/rack@2.0.9.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69190?format=api", "purl": "pkg:gem/rack@2.1.4.4", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.4" }, { "url": "http://public2.vulnerablecode.io/api/packages/69189?format=api", "purl": "pkg:gem/rack@2.2.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-26146", "GHSA-54rr-7fvw-6x8f" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-52qe-dast-tkhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47156?format=api", "vulnerability_id": "VCID-heu4-cd3d-73ck", "summary": "Rack has possible DoS Vulnerability with Range Header\n# Possible DoS Vulnerability with Range Header in Rack\n\nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0.\nNot affected: < 1.3.0\nFixed Versions: 3.0.9.1, 2.2.8.1\n\nImpact\n------\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 3-0-range.patch - Patch for 3.0 series\n* 2-2-range.patch - Patch for 2.2 series\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and\npatch", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9" }, { "reference_url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141", "reference_id": "CVE-2024-26141", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml", "reference_id": "CVE-2024-26141.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml" }, { "reference_url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69189?format=api", "purl": "pkg:gem/rack@2.2.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-26141", "GHSA-xj5v-6v4g-jfw6" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-heu4-cd3d-73ck" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47152?format=api", "vulnerability_id": "VCID-yq3g-ykeu-pfbp", "summary": "Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)\n### Summary\n\n```ruby\nmodule Rack\n class MediaType\n SPLIT_PATTERN = %r{\\s*[;,]\\s*}\n```\n\nThe above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.\n\n### PoC\n\nA simple HTTP request with lots of blank characters in the content-type header:\n\n```ruby\nrequest[\"Content-Type\"] = (\" \" * 50_000) + \"a,\"\n```\n\n### Impact\n\nIt's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.", "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462" }, { "reference_url": "https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25126", "reference_id": "CVE-2024-25126", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25126" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml", "reference_id": "CVE-2024-25126.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml" }, { "reference_url": "https://github.com/advisories/GHSA-22f2-v57c-j9cx", "reference_id": "GHSA-22f2-v57c-j9cx", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-22f2-v57c-j9cx" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx", "reference_id": "GHSA-22f2-v57c-j9cx", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69189?format=api", "purl": "pkg:gem/rack@2.2.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-25126", "GHSA-22f2-v57c-j9cx" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yq3g-ykeu-pfbp" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" }