CVE-2024-26146

Source

https://nvd.nist.gov/vuln/detail/CVE-2024-26146

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26146.json

Aliases

GHSA-54rr-7fvw-6x8f

Related

Published

2024-02-29T00:15:51Z

Modified

2024-05-14T13:10:08.632485Z

Summary

[none]

Details

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

References

Affected packages

Git / github.com/rack/rack

Affected ranges

Type: GIT
Repo: https://github.com/rack/rack
Events: Introduced

0The exact introduced commit is unknown

Fixed

30b8e39a578b25d4bdcc082c1c52c6f164b59716

Fixed

6c5d90bdcec0949f7ba06db62fb740dab394b582

Fixed

a227cd793778c7c3a827d32808058571569cda6f

Fixed

e4c117749ba24a66f8ec5a08eddf68deeb425ccd

Affected versions

0.*

0.1

0.2

0.3

1.*

1.0

1.1

1.2

1.2.1

1.3.0

1.3.0.beta

1.3.0.beta2

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.0.beta

1.6.0.beta2

2.*

2.0.0

2.0.0.alpha

2.0.0.rc1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.4.1

2.2.0

2.2.3

2.2.3.1

2.2.4

3.*

3.0.0

3.0.0.beta1

3.0.0.rc1

v2.*

v2.0.9.2

v2.0.9.3

v2.1.4.2

v2.1.4.3

v2.2.1

v2.2.2

v2.2.5

v2.2.6

v2.2.6.1

v2.2.6.2

v2.2.6.3

v2.2.6.4

v2.2.7

v2.2.8

v3.*

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.4.1

v3.0.4.2

v3.0.5

v3.0.6

v3.0.6.1

v3.0.7

v3.0.8

v3.0.9