GHSA-h77x-m5q8-c29h

Suggest an improvement
Source
https://github.com/advisories/GHSA-h77x-m5q8-c29h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-h77x-m5q8-c29h/GHSA-h77x-m5q8-c29h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h77x-m5q8-c29h
Aliases
Published
2017-10-24T18:33:37Z
Modified
2024-11-29T05:40:18.610572Z
Summary
Rack vulnerable to REDoS
Details

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

Database specific
{
    "nvd_published_at": "2013-03-01T05:40:00Z",
    "cwe_ids": [
        "CWE-835"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:39:20Z"
}
References

Affected packages

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.1.4

Affected versions

0.*

0.1.0
0.2.0
0.3.0
0.4.0
0.9.0
0.9.1

1.*

1.0.0
1.0.1
1.1.0
1.1.1.pre
1.1.1
1.1.2
1.1.3

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.6

Affected versions

1.*

1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.7

Affected versions

1.*

1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.0
Fixed
1.4.2

Affected versions

1.*

1.4.0
1.4.1