VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-udc4-7jnt-y3fu

Essentials
Severities (30)
References (28)
Severity details (21)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-udc4-7jnt-y3fu
Aliases	CVE-2022-30123 GHSA-wq4h-7r42-5hrr GMS-2022-1644
Summary	Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents.
Status	Published
Exploitability	0.5
Weighted Severity	9.0
Risk	4.5
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-150	Improper Neutralization of Escape, Meta, or Control Sequences
CWE-179	Incorrect Behavior Order: Early Validation
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	10.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json
epss	0.02072	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02072	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02072	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02072	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02072	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02072	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02128	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
epss	0.02128	https://api.first.org/data/v1/epss?cve=CVE-2022-30123
cvssv3.1	10.0	https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728
generic_textual	CRITICAL	https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728
cvssv3.1	9.8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	CRITICAL	https://github.com/advisories/GHSA-wq4h-7r42-5hrr
cvssv3.1	10.0	https://github.com/rack/rack
generic_textual	CRITICAL	https://github.com/rack/rack
cvssv3.1	10.0	https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88
generic_textual	CRITICAL	https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88
cvssv3.1	10.0	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml
generic_textual	CRITICAL	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml
cvssv3	10.0	https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
cvssv3.1	10.0	https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
generic_textual	CRITICAL	https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
cvssv3.1	10.0	https://nvd.nist.gov/vuln/detail/CVE-2022-30123
generic_textual	CRITICAL	https://nvd.nist.gov/vuln/detail/CVE-2022-30123
cvssv3.1	10.0	https://security.gentoo.org/glsa/202310-18
generic_textual	CRITICAL	https://security.gentoo.org/glsa/202310-18
cvssv3.1	10.0	https://security.netapp.com/advisory/ntap-20231208-0011
generic_textual	CRITICAL	https://security.netapp.com/advisory/ntap-20231208-0011
cvssv3.1	10.0	https://www.debian.org/security/2023/dsa-5530
generic_textual	CRITICAL	https://www.debian.org/security/2023/dsa-5530

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-30123
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
		https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rack/rack
		https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml
		https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
		https://nvd.nist.gov/vuln/detail/CVE-2022-30123
		https://security.netapp.com/advisory/ntap-20231208-0011
		https://security.netapp.com/advisory/ntap-20231208-0011/
		https://www.debian.org/security/2023/dsa-5530
2099524		https://bugzilla.redhat.com/show_bug.cgi?id=2099524
GHSA-wq4h-7r42-5hrr		https://github.com/advisories/GHSA-wq4h-7r42-5hrr
GLSA-202310-18		https://security.gentoo.org/glsa/202310-18
RHSA-2022:7343		https://access.redhat.com/errata/RHSA-2022:7343
RHSA-2023:0632		https://access.redhat.com/errata/RHSA-2023:0632
RHSA-2023:1486		https://access.redhat.com/errata/RHSA-2023:1486
USN-5896-1		https://usn.ubuntu.com/5896-1/
USN-7036-1		https://usn.ubuntu.com/7036-1/
USN-USN-5253-1		https://usn.ubuntu.com/USN-5253-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/rack/rack

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2022-30123

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://security.gentoo.org/glsa/202310-18

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://security.netapp.com/advisory/ntap-20231208-0011

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H Found at https://www.debian.org/security/2023/dsa-5530

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.83914
EPSS Score	0.02072
Published At	April 7, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:02:50.269859+00:00	Gentoo Importer	Import	https://security.gentoo.org/glsa/202310-18	38.0.0