{"url":"http://public2.vulnerablecode.io/api/packages/33286?format=json","purl":"pkg:gem/rack@2.0.0","type":"gem","namespace":"","name":"rack","version":"2.0.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":null,"latest_non_vulnerable_version":null,"affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10046?format=json","vulnerability_id":"VCID-9xy8-h3y1-mubv","summary":"Cross-site Scripting\nThere is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to HTTP or HTTPS and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not be impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html"},{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16471.json","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16471.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16471","reference_id":"","reference_type":"","scores":[{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53283","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53232","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53238","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53185","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53217","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53193","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53169","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.5329","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53252","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53296","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00299","scoring_system":"epss","scoring_elements":"0.53269","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74701","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74558","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74594","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.746","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74601","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74604","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74633","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74659","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74627","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00829","scoring_system":"epss","scoring_elements":"0.74647","published_at":"2026-05-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-16471"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml"},{"reference_url":"https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag"},{"reference_url":"https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html"},{"reference_url":"https://usn.ubuntu.com/4089-1","reference_id":"","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4089-1"},{"reference_url":"https://usn.ubuntu.com/4089-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4089-1/"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1646818","reference_id":"1646818","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1646818"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005","reference_id":"913005","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16471","reference_id":"CVE-2018-16471","reference_type":"","scores":[{"value":"6.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-16471"},{"reference_url":"https://github.com/advisories/GHSA-5r2p-j47h-mhpg","reference_id":"GHSA-5r2p-j47h-mhpg","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-5r2p-j47h-mhpg"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/33275?format=json","purl":"pkg:gem/rack@2.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-6c1k-vgv4-93ad"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-8zkw-y3yd-yuft"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-qt1u-2p37-xfet"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-udc4-7jnt-y3fu"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"},{"vulnerability":"VCID-xnz5-gv2x-17bk"},{"vulnerability":"VCID-yw62-qbkq-9ygq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.6"}],"aliases":["CVE-2018-16471","GHSA-5r2p-j47h-mhpg"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9xy8-h3y1-mubv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16109?format=json","vulnerability_id":"VCID-c21j-snf1-d3cb","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-44572","reference_id":"","reference_type":"","scores":[{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46288","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46299","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00234","scoring_system":"epss","scoring_elements":"0.46307","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48716","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48741","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48823","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48679","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48764","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48746","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00255","scoring_system":"epss","scoring_elements":"0.48769","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.49513","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00262","scoring_system":"epss","scoring_elements":"0.4954","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50986","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50964","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50948","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50985","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00275","scoring_system":"epss","scoring_elements":"0.50991","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53184","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53192","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00298","scoring_system":"epss","scoring_elements":"0.53138","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-44572"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/releases/tag/v3.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack/releases/tag/v3.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml"},{"reference_url":"https://hackerone.com/reports/1639882","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://hackerone.com/reports/1639882"},{"reference_url":"https://www.debian.org/security/2023/dsa-5530","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5530"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832","reference_id":"1029832","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164722","reference_id":"2164722","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164722"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-44572","reference_id":"CVE-2022-44572","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-44572"},{"reference_url":"https://github.com/advisories/GHSA-rqv2-275x-2jq5","reference_id":"GHSA-rqv2-275x-2jq5","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rqv2-275x-2jq5"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"},{"reference_url":"https://usn.ubuntu.com/5910-1/","reference_id":"USN-5910-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5910-1/"},{"reference_url":"https://usn.ubuntu.com/7036-1/","reference_id":"USN-7036-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7036-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55404?format=json","purl":"pkg:gem/rack@2.0.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/55405?format=json","purl":"pkg:gem/rack@2.1.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/55822?format=json","purl":"pkg:gem/rack@2.2.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-6c1k-vgv4-93ad"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.5"},{"url":"http://public2.vulnerablecode.io/api/packages/55831?format=json","purl":"pkg:gem/rack@2.2.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-6c1k-vgv4-93ad"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55407?format=json","purl":"pkg:gem/rack@3.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-dh75-6jyw-1ke2"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1"}],"aliases":["CVE-2022-44572","GHSA-rqv2-275x-2jq5","GMS-2023-66"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-c21j-snf1-d3cb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16099?format=json","vulnerability_id":"VCID-vkrw-y1j6-6fe7","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-44571","reference_id":"","reference_type":"","scores":[{"value":"0.02882","scoring_system":"epss","scoring_elements":"0.86342","published_at":"2026-04-26T12:55:00Z"},{"value":"0.02882","scoring_system":"epss","scoring_elements":"0.86313","published_at":"2026-04-21T12:55:00Z"},{"value":"0.02882","scoring_system":"epss","scoring_elements":"0.86333","published_at":"2026-04-24T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.86889","published_at":"2026-04-29T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.86956","published_at":"2026-05-12T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.86947","published_at":"2026-05-09T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.86929","published_at":"2026-05-07T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.8691","published_at":"2026-05-05T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.86984","published_at":"2026-05-14T12:55:00Z"},{"value":"0.03121","scoring_system":"epss","scoring_elements":"0.86943","published_at":"2026-05-11T12:55:00Z"},{"value":"0.03289","scoring_system":"epss","scoring_elements":"0.87155","published_at":"2026-04-02T12:55:00Z"},{"value":"0.03289","scoring_system":"epss","scoring_elements":"0.87172","published_at":"2026-04-04T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87841","published_at":"2026-04-11T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87801","published_at":"2026-04-07T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87822","published_at":"2026-04-08T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87829","published_at":"2026-04-09T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87835","published_at":"2026-04-12T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87833","published_at":"2026-04-13T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87847","published_at":"2026-04-16T12:55:00Z"},{"value":"0.03631","scoring_system":"epss","scoring_elements":"0.87846","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-44571"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/releases/tag/v3.0.4.1","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack/releases/tag/v3.0.4.1"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml"},{"reference_url":"https://www.debian.org/security/2023/dsa-5530","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2023/dsa-5530"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832","reference_id":"1029832","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164714","reference_id":"2164714","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2164714"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-44571","reference_id":"CVE-2022-44571","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-44571"},{"reference_url":"https://github.com/advisories/GHSA-93pm-5p5f-3ghx","reference_id":"GHSA-93pm-5p5f-3ghx","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-93pm-5p5f-3ghx"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"},{"reference_url":"https://usn.ubuntu.com/5910-1/","reference_id":"USN-5910-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5910-1/"},{"reference_url":"https://usn.ubuntu.com/7036-1/","reference_id":"USN-7036-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7036-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/55404?format=json","purl":"pkg:gem/rack@2.0.9.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2"},{"url":"http://public2.vulnerablecode.io/api/packages/55405?format=json","purl":"pkg:gem/rack@2.1.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2"},{"url":"http://public2.vulnerablecode.io/api/packages/55831?format=json","purl":"pkg:gem/rack@2.2.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-6c1k-vgv4-93ad"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1"},{"url":"http://public2.vulnerablecode.io/api/packages/55407?format=json","purl":"pkg:gem/rack@3.0.4.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-dh75-6jyw-1ke2"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xkah-9nv9-wufd"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1"}],"aliases":["CVE-2022-44571","GHSA-93pm-5p5f-3ghx","GMS-2023-65"],"risk_score":3.4,"exploitability":"0.5","weighted_severity":"6.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vkrw-y1j6-6fe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/16800?format=json","vulnerability_id":"VCID-xkah-9nv9-wufd","summary":"Possible Denial of Service Vulnerability in Rack’s header parsing\nThere is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27539","reference_id":"","reference_type":"","scores":[{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55815","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00328","scoring_system":"epss","scoring_elements":"0.55793","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56306","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56416","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56392","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56374","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56377","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56407","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56406","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00335","scoring_system":"epss","scoring_elements":"0.56326","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58466","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58512","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58453","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.5841","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58445","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58565","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58428","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58487","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58481","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00364","scoring_system":"epss","scoring_elements":"0.58494","published_at":"2026-05-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-27539"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539"},{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c"},{"reference_url":"https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20231208-0016","reference_id":"","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20231208-0016"},{"reference_url":"https://www.debian.org/security/2023/dsa-5530","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://www.debian.org/security/2023/dsa-5530"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264","reference_id":"1033264","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179649","reference_id":"2179649","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2179649"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27539","reference_id":"CVE-2023-27539","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27539"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml","reference_id":"CVE-2023-27539.YML","reference_type":"","scores":[{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml"},{"reference_url":"https://github.com/advisories/GHSA-c6qg-cjj8-47qp","reference_id":"GHSA-c6qg-cjj8-47qp","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://github.com/advisories/GHSA-c6qg-cjj8-47qp"},{"reference_url":"https://security.netapp.com/advisory/ntap-20231208-0016/","reference_id":"ntap-20231208-0016","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/"}],"url":"https://security.netapp.com/advisory/ntap-20231208-0016/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1953","reference_id":"RHSA-2023:1953","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1953"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1961","reference_id":"RHSA-2023:1961","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1961"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:1981","reference_id":"RHSA-2023:1981","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:1981"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:2652","reference_id":"RHSA-2023:2652","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:2652"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3082","reference_id":"RHSA-2023:3082","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3082"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3403","reference_id":"RHSA-2023:3403","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3403"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:3495","reference_id":"RHSA-2023:3495","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:3495"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"},{"reference_url":"https://usn.ubuntu.com/6689-1/","reference_id":"USN-6689-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6689-1/"},{"reference_url":"https://usn.ubuntu.com/6905-1/","reference_id":"USN-6905-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6905-1/"},{"reference_url":"https://usn.ubuntu.com/7036-1/","reference_id":"USN-7036-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7036-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/56441?format=json","purl":"pkg:gem/rack@2.2.6.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/56442?format=json","purl":"pkg:gem/rack@3.0.6.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-dh75-6jyw-1ke2"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1"}],"aliases":["CVE-2023-27539","GHSA-c6qg-cjj8-47qp","GMS-2023-769"],"risk_score":2.4,"exploitability":"0.5","weighted_severity":"4.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xkah-9nv9-wufd"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50562?format=json","vulnerability_id":"VCID-yw62-qbkq-9ygq","summary":"Possible Information Leak / Session Hijack Vulnerability in Rack\nThere's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.\n\nThe session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.\n\n### Impact\n\nThe session id stored in a cookie is the same id that is used when querying the backing session storage engine.  Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id.  By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.\n\n## Releases\n\nThe 1.6.12 and 2.0.8 releases are available at the normal locations.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### Patches\n\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 1-6-session-timing-attack.patch - Patch for 1.6 series\n* 2-0-session-timing-attack.patch - Patch for 2.6 series\n\n### Credits\n\nThanks Will Leinweber for reporting this!","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16782","reference_id":"","reference_type":"","scores":[{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75707","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.7569","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75705","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.7568","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.7565","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75647","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75636","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75631","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75593","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00892","scoring_system":"epss","scoring_elements":"0.75761","published_at":"2026-05-14T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79291","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79285","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79315","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79301","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79327","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79336","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.7936","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79345","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79334","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79361","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01251","scoring_system":"epss","scoring_elements":"0.79357","published_at":"2026-04-18T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-16782"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3","scoring_elements":""},{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16782","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-16782"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/12/18/2","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/12/18/2"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/12/18/3","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/12/18/3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2019/12/19/3","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2019/12/19/3"},{"reference_url":"http://www.openwall.com/lists/oss-security/2020/04/08/1","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2020/04/08/1"},{"reference_url":"http://www.openwall.com/lists/oss-security/2020/04/09/2","reference_id":"","reference_type":"","scores":[{"value":"6.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2020/04/09/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789100","reference_id":"1789100","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1789100"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983","reference_id":"946983","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983"},{"reference_url":"https://github.com/advisories/GHSA-hrqr-hxpp-chr3","reference_id":"GHSA-hrqr-hxpp-chr3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hrqr-hxpp-chr3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2480","reference_id":"RHSA-2020:2480","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2480"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4366","reference_id":"RHSA-2020:4366","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4366"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1313","reference_id":"RHSA-2021:1313","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1313"},{"reference_url":"https://usn.ubuntu.com/USN-5253-1/","reference_id":"USN-USN-5253-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/USN-5253-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78834?format=json","purl":"pkg:gem/rack@2.0.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1j61-5e8x-7fbd"},{"vulnerability":"VCID-2p73-rc9t-rudb"},{"vulnerability":"VCID-2qba-a6bp-ryak"},{"vulnerability":"VCID-47ja-djzb-2bbw"},{"vulnerability":"VCID-5twm-pqc2-xyfn"},{"vulnerability":"VCID-6c1k-vgv4-93ad"},{"vulnerability":"VCID-7p12-ejdu-uqgy"},{"vulnerability":"VCID-7wvj-9h3p-23am"},{"vulnerability":"VCID-7zgg-tvu3-r7gt"},{"vulnerability":"VCID-8zkw-y3yd-yuft"},{"vulnerability":"VCID-9rpp-9xss-duf6"},{"vulnerability":"VCID-arac-j5h5-zkcu"},{"vulnerability":"VCID-azu5-jcmd-3ufx"},{"vulnerability":"VCID-c21j-snf1-d3cb"},{"vulnerability":"VCID-c5sc-7qnn-mkb9"},{"vulnerability":"VCID-d58r-22kr-9bct"},{"vulnerability":"VCID-fpg2-nhey-rkcc"},{"vulnerability":"VCID-gdhf-e8q1-kbat"},{"vulnerability":"VCID-gtzk-m9rm-57hw"},{"vulnerability":"VCID-j34j-bgfd-8fez"},{"vulnerability":"VCID-jg77-mm5c-gydu"},{"vulnerability":"VCID-m98a-mcyb-c7fm"},{"vulnerability":"VCID-metf-cghw-p3b5"},{"vulnerability":"VCID-npag-sz7d-v7b6"},{"vulnerability":"VCID-p3dk-p1gb-kkem"},{"vulnerability":"VCID-pbu7-4hdm-s3a6"},{"vulnerability":"VCID-qt1u-2p37-xfet"},{"vulnerability":"VCID-s971-gkdg-jkhc"},{"vulnerability":"VCID-skxv-7he3-xqgc"},{"vulnerability":"VCID-udc4-7jnt-y3fu"},{"vulnerability":"VCID-vkrw-y1j6-6fe7"},{"vulnerability":"VCID-w732-52bx-2qf8"},{"vulnerability":"VCID-wt7k-s1yd-nke6"},{"vulnerability":"VCID-wvs1-dhwp-ebat"},{"vulnerability":"VCID-xazq-qrm1-9ff6"},{"vulnerability":"VCID-xkah-9nv9-wufd"},{"vulnerability":"VCID-xnz5-gv2x-17bk"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.8"}],"aliases":["CVE-2019-16782","GHSA-hrqr-hxpp-chr3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yw62-qbkq-9ygq"}],"fixing_vulnerabilities":[],"risk_score":"3.4","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.0"}