FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rack -- Multiple vulnerabilities

Affected packages
rubygem-rack < 3.0.4.1,3
rubygem-rack22 < 2.2.6.2,3
rubygem-rack16 < 1.6.14

Details

VuXML ID 95176ba5-9796-11ed-bfbf-080027f5fec9
Discovery 2023-01-17
Entry 2023-01-19

Aaron Patterson reports:

CVE-2022-44570
Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
CVE-2022-44571
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
CVE-2022-44572
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

References

CVE Name CVE-2022-44570
CVE Name CVE-2022-44571
CVE Name CVE-2022-44572
URL https://github.com/advisories/GHSA-65f5-mfpf-vfhj
URL https://github.com/advisories/GHSA-93pm-5p5f-3ghx
URL https://github.com/advisories/GHSA-rqv2-275x-2jq5
URL https://github.com/rack/rack/blob/v3.0.4.1/CHANGELOG.md