GHSA-v6j3-7jrw-hq2p

Source

https://github.com/advisories/GHSA-v6j3-7jrw-hq2p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v6j3-7jrw-hq2p/GHSA-v6j3-7jrw-hq2p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v6j3-7jrw-hq2p

Aliases

CVE-2011-5036

Published

2022-05-17T04:59:13Z

Modified

2024-11-30T05:29:12.044806Z

Summary

Rack Gem Subject to Denial of Service via Hash Collisions

Details

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Database specific

{
    "nvd_published_at": "2011-12-30T01:55:00Z",
    "cwe_ids": [
        "CWE-328",
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-27T16:12:55Z"
}

References

Affected packages

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.1.3

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1.pre

1.1.1

1.1.2

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.0

Fixed

1.2.5

Affected versions

1.*

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

1.3.6

Affected versions

1.*

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

Maven / org.jruby:jruby-parent

Package

Name: org.jruby:jruby-parent; View open source insights on deps.dev
Purl: pkg:maven/org.jruby/jruby-parent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.5.1