{"url":"http://public2.vulnerablecode.io/api/packages/69188?format=json","purl":"pkg:gem/rack@3.0.9.1","type":"gem","namespace":"","name":"rack","version":"3.0.9.1","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"3.1.17","latest_non_vulnerable_version":"3.2.5","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47151?format=json","vulnerability_id":"VCID-52qe-dast-tkhu","summary":"Rack Header Parsing leads to Possible Denial of Service Vulnerability\n# Possible Denial of Service Vulnerability in Rack Header Parsing\n\nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack.  This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected:  All.\nNot affected:       None\nFixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\nImpact\n------\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. Accept and Forwarded\nheaders are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2\nor newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 2-0-header-redos.patch - Patch for 2.0 series\n* 2-1-header-redos.patch - Patch for 2.1 series\n* 2-2-header-redos.patch - Patch for 2.2 series\n* 3-0-header-redos.patch - Patch for 3.0 series\n\nCredits\n-------\n\nThanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and\nproviding patches!","references":[{"reference_url":"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942","reference_id":"","reference_type":"","scores":[],"url":"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"},{"reference_url":"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"},{"reference_url":"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"},{"reference_url":"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26146","reference_id":"CVE-2024-26146","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26146"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml","reference_id":"CVE-2024-26146.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"},{"reference_url":"https://github.com/advisories/GHSA-54rr-7fvw-6x8f","reference_id":"GHSA-54rr-7fvw-6x8f","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-54rr-7fvw-6x8f"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f","reference_id":"GHSA-54rr-7fvw-6x8f","reference_type":"","scores":[],"url":"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69191?format=json","purl":"pkg:gem/rack@2.0.9.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4"},{"url":"http://public2.vulnerablecode.io/api/packages/69190?format=json","purl":"pkg:gem/rack@2.1.4.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.4"},{"url":"http://public2.vulnerablecode.io/api/packages/69189?format=json","purl":"pkg:gem/rack@2.2.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/69188?format=json","purl":"pkg:gem/rack@3.0.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1"}],"aliases":["CVE-2024-26146","GHSA-54rr-7fvw-6x8f"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-52qe-dast-tkhu"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47156?format=json","vulnerability_id":"VCID-heu4-cd3d-73ck","summary":"Rack has possible DoS Vulnerability with Range Header\n# Possible DoS Vulnerability with Range Header in Rack\n\nThere is a possible DoS vulnerability relating to the Range request header in\nRack.  This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected:  >= 1.3.0.\nNot affected:       < 1.3.0\nFixed Versions:     3.0.9.1, 2.2.8.1\n\nImpact\n------\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 3-0-range.patch - Patch for 3.0 series\n* 2-2-range.patch - Patch for 2.2 series\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and\npatch","references":[{"reference_url":"https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944","reference_id":"","reference_type":"","scores":[],"url":"https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9"},{"reference_url":"https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26141","reference_id":"CVE-2024-26141","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26141"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml","reference_id":"CVE-2024-26141.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml"},{"reference_url":"https://github.com/advisories/GHSA-xj5v-6v4g-jfw6","reference_id":"GHSA-xj5v-6v4g-jfw6","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-xj5v-6v4g-jfw6"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6","reference_id":"GHSA-xj5v-6v4g-jfw6","reference_type":"","scores":[],"url":"https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69189?format=json","purl":"pkg:gem/rack@2.2.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/69188?format=json","purl":"pkg:gem/rack@3.0.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1"}],"aliases":["CVE-2024-26141","GHSA-xj5v-6v4g-jfw6"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-heu4-cd3d-73ck"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47152?format=json","vulnerability_id":"VCID-yq3g-ykeu-pfbp","summary":"Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)\n### Summary\n\n```ruby\nmodule Rack\n  class MediaType\n    SPLIT_PATTERN = %r{\\s*[;,]\\s*}\n```\n\nThe above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.\n\n### PoC\n\nA simple HTTP request with lots of blank characters in the content-type header:\n\n```ruby\nrequest[\"Content-Type\"] = (\" \" * 50_000) + \"a,\"\n```\n\n### Impact\n\nIt's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.","references":[{"reference_url":"https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941","reference_id":"","reference_type":"","scores":[],"url":"https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941"},{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462"},{"reference_url":"https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25126","reference_id":"CVE-2024-25126","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-25126"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml","reference_id":"CVE-2024-25126.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml"},{"reference_url":"https://github.com/advisories/GHSA-22f2-v57c-j9cx","reference_id":"GHSA-22f2-v57c-j9cx","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-22f2-v57c-j9cx"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx","reference_id":"GHSA-22f2-v57c-j9cx","reference_type":"","scores":[],"url":"https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/69189?format=json","purl":"pkg:gem/rack@2.2.8.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1"},{"url":"http://public2.vulnerablecode.io/api/packages/69188?format=json","purl":"pkg:gem/rack@3.0.9.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1"}],"aliases":["CVE-2024-25126","GHSA-22f2-v57c-j9cx"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yq3g-ykeu-pfbp"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1"}