{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/44670?format=json","vulnerability_id":"VCID-bqpn-m2fh-9kab","summary":"Possible Denial of Service Vulnerability in Rack’s header parsing\nThere is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.","aliases":[{"alias":"CVE-2023-27539"},{"alias":"GHSA-c6qg-cjj8-47qp"},{"alias":"GMS-2023-769"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/64317?format=json","purl":"pkg:gem/rack@2.2.6.4","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4"},{"url":"http://public2.vulnerablecode.io/api/packages/64318?format=json","purl":"pkg:gem/rack@3.0.6.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/57019?format=json","purl":"pkg:gem/rack@2.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-1ra1-pgt2-3ubf"},{"vulnerability":"VCID-bqpn-m2fh-9kab"},{"vulnerability":"VCID-ebb6-b5tx-5bhf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/64279?format=json","purl":"pkg:gem/rack@3.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-52qe-dast-tkhu"},{"vulnerability":"VCID-bqpn-m2fh-9kab"},{"vulnerability":"VCID-heu4-cd3d-73ck"},{"vulnerability":"VCID-yq3g-ykeu-pfbp"},{"vulnerability":"VCID-zqax-g5xz-wuch"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0"}],"references":[{"reference_url":"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466","reference_id":"","reference_type":"","scores":[],"url":"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27539","reference_id":"CVE-2023-27539","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-27539"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml","reference_id":"CVE-2023-27539.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml"},{"reference_url":"https://github.com/advisories/GHSA-c6qg-cjj8-47qp","reference_id":"GHSA-c6qg-cjj8-47qp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-c6qg-cjj8-47qp"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":null,"exploitability":null,"weighted_severity":null,"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-bqpn-m2fh-9kab"}