Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/47156?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47156?format=api", "vulnerability_id": "VCID-heu4-cd3d-73ck", "summary": "Rack has possible DoS Vulnerability with Range Header\n# Possible DoS Vulnerability with Range Header in Rack\n\nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0.\nNot affected: < 1.3.0\nFixed Versions: 3.0.9.1, 2.2.8.1\n\nImpact\n------\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 3-0-range.patch - Patch for 3.0 series\n* 2-2-range.patch - Patch for 2.2 series\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and\npatch", "aliases": [ { "alias": "CVE-2024-26141" }, { "alias": "GHSA-xj5v-6v4g-jfw6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69189?format=api", "purl": "pkg:gem/rack@2.2.8.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69188?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/51368?format=api", "purl": "pkg:gem/rack@1.3.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-6yf4-8k7v-p7d7" }, { "vulnerability": "VCID-heu4-cd3d-73ck" }, { "vulnerability": "VCID-w1cf-9x6v-pyhw" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.3.0" }, { "url": "http://public2.vulnerablecode.io/api/packages/64279?format=api", "purl": "pkg:gem/rack@3.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-52qe-dast-tkhu" }, { "vulnerability": "VCID-bqpn-m2fh-9kab" }, { "vulnerability": "VCID-heu4-cd3d-73ck" }, { "vulnerability": "VCID-yq3g-ykeu-pfbp" }, { "vulnerability": "VCID-zqax-g5xz-wuch" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0" } ], "references": [ { "reference_url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944", "reference_id": "", "reference_type": "", "scores": [], "url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9" }, { "reference_url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141", "reference_id": "CVE-2024-26141", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml", "reference_id": "CVE-2024-26141.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml" }, { "reference_url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6" } ], "weaknesses": [ { "cwe_id": 400, "name": "Uncontrolled Resource Consumption", "description": "The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": null, "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-heu4-cd3d-73ck" }