Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12NmozLTdqcnctaHEycM4AAe7J
Rack Gem Subject to Denial of Service via Hash Collisions
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Permalink: https://github.com/advisories/GHSA-v6j3-7jrw-hq2pJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12NmozLTdqcnctaHEycM4AAe7J
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 8 months ago
Identifiers: GHSA-v6j3-7jrw-hq2p, CVE-2011-5036
References:
- https://nvd.nist.gov/vuln/detail/CVE-2011-5036
- https://gist.github.com/52bbc6b9cc19ce330829
- http://www.debian.org/security/2013/dsa-2783
- http://www.kb.cert.org/vuls/id/903934
- http://www.ocert.org/advisories/ocert-2011-003.html
- https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml
- https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
- http://www.nruns.com/_downloads/advisory28122011.pdf
- https://github.com/advisories/GHSA-v6j3-7jrw-hq2p
Affected Packages
maven:org.jruby:jruby-parent
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.6.5.1
Fixed in: 1.6.5.1
All affected versions:
All unaffected versions: 1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25, 1.7.26, 1.7.27
rubygems:rack
Dependent packages: 3,603Dependent repositories: 1,043,594
Downloads: 875,708,068 total
Affected Version Ranges: >= 1.3.0, < 1.3.6, >= 1.2.0, < 1.2.5, < 1.1.3
Fixed in: 1.3.6, 1.2.5, 1.1.3
All affected versions: 0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5
All unaffected versions: 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10