FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

rack -- possible DoS vulnerability in multipart MIME parsing

Affected packages
rubygem-rack < 3.0.4.2,3
rubygem-rack22 < 2.2.6.3,3
rubygem-rack16 < 1.6.14

Details

VuXML ID f0798a6a-bbdb-11ed-ba99-080027f5fec9
Discovery 2023-03-03
Entry 2023-03-06

Aaron Patterson reports:

The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

References

CVE Name CVE-2023-27530
URL https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388