CVE-2022-44571

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

References

Affected packages

Git / github.com/rack/rack

Affected ranges

Type

GIT

Repo

https://github.com/rack/rack

Events

Introduced

1a408687493175250408fe87c5046bf1adfa6386

Fixed

d573159067d8dc64db97beff67621654754e86f2

Introduced

879ae7163a399a9ed36d876668f4ecae4ae8b9e4

Fixed

8b8efd9591876cb6d40b3120388a8b9a0e083777

Introduced

39d501a28c1fe51284addfe6dacffafb69d49849

Fixed

20bc90c2431d7fabcd1873410543cf3d72f65004

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.0.9.2"
        },
        {
            "introduced": "2.1.0"
        },
        {
            "fixed": "2.1.4.2"
        },
        {
            "introduced": "2.2.0"
        },
        {
            "fixed": "2.2.6.1"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.4.1

2.2.0

2.2.3

2.2.3.1

2.2.4

v2.*

v2.2.1

v2.2.2

v2.2.5

v2.2.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-44571.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "3.0.0.0"
            },
            {
                "fixed": "3.0.4.1"
            }
        ]
    }
]