Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS01NHJyLTdmdnctNng4Zs4AA5mC

Rack Header Parsing leads to Possible Denial of Service Vulnerability

Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

Credits

Thanks to svalkanov for reporting this and
providing patches!

Permalink: https://github.com/advisories/GHSA-54rr-7fvw-6x8f
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01NHJyLTdmdnctNng4Zs4AA5mC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 9 months ago
Updated: 9 months ago


Identifiers: GHSA-54rr-7fvw-6x8f, CVE-2024-26146
References: Repository: https://github.com/rack/rack
Blast Radius: 0.0

Affected Packages

rubygems:rack
Dependent packages: 3,634
Dependent repositories: 1,043,594
Downloads: 971,392,010 total
Affected Version Ranges: < 2.0.9.4, >= 2.1.0, < 2.1.4.4, >= 2.2.0, < 2.2.8.1, >= 3.0.0, < 3.0.9.1
Fixed in: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8
All unaffected versions: