CVE-2023-27530
Published: 10 March 2023
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
Notes
Author | Note |
---|---|
iconstantin | Intrusive backport for older releases. |
Priority
Status
Package | Release | Status |
---|---|---|
ruby-rack Launchpad, Ubuntu, Debian |
bionic |
Ignored
(intrusive backport)
|
focal |
Needs triage
|
|
jammy |
Needs triage
|
|
kinetic |
Ignored
(end of life, was needs-triage)
|
|
lunar |
Ignored
(end of life, was needs-triage)
|
|
mantic |
Needs triage
|
|
noble |
Not vulnerable
(2.2.7-1)
|
|
trusty |
Ignored
(intrusive backport)
|
|
upstream |
Released
(2.2.6.4-1)
|
|
xenial |
Ignored
(intrusive backport)
|
|
Patches: upstream: https://github.com/rack/rack/commit/8e8869d625e73e16b576b6d31b50208e9ec8002f upstream: https://github.com/rack/rack/commit/9aac3757fe19cdb0476504c9245170115bec9668 upstream: https://github.com/rack/rack/commit/b632718265fa5ffa547b060331341a1e216b4ffa upstream: https://github.com/rack/rack/commit/5f6e2fcbbdbff2dfaa21baa693e9d23d12ac1459 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |