GHSA-22f2-v57c-j9cx

Source

https://github.com/advisories/GHSA-22f2-v57c-j9cx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-22f2-v57c-j9cx/GHSA-22f2-v57c-j9cx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-22f2-v57c-j9cx

Aliases

CVE-2024-25126

Related

Published

2024-02-28T22:57:26Z

Modified

2024-06-10T18:52:04.810606Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Details

Summary

module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request["Content-Type"] = (" " * 50_000) + "a,"

Impact

It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

Database specific

{
    "nvd_published_at": "2024-02-29T00:15:51Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2024-02-28T22:57:26Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-1333"
    ]
}

References

Affected packages

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0.0

Fixed

3.0.9.1

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.4.1

3.0.4.2

3.0.5

3.0.6

3.0.6.1

3.0.7

3.0.8

3.0.9

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0.4

Fixed

2.2.8.1

Affected versions

0.*

0.4.0

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1.pre

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.3.0.beta

1.3.0.beta2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.5.0.beta.1

1.5.0.beta.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0.beta

1.6.0.beta2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

2.*

2.0.0.alpha

2.0.0.rc1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.1

2.0.9.2

2.0.9.3

2.0.9.4

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.4.1

2.1.4.2

2.1.4.3

2.1.4.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.3.1

2.2.4

2.2.5

2.2.6

2.2.6.1

2.2.6.2

2.2.6.3

2.2.6.4

2.2.7

2.2.8