Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS12NmozLTdqcnctaHEycM4AAe7J

Moderate EPSS: 0.01278% (0.78503 Percentile) EPSS:
Permalink JSON

Rack Gem Subject to Denial of Service via Hash Collisions

Affected Packages Affected Versions Fixed Versions
maven:org.jruby:jruby-parent < 1.6.5.1 1.6.5.1
0 Dependent packages
0 Dependent repositories

Affected Version Ranges

All affected versions

All unaffected versions

1.7.5, 1.7.6, 1.7.7, 1.7.8, 1.7.9, 1.7.10, 1.7.11, 1.7.12, 1.7.13, 1.7.14, 1.7.15, 1.7.16, 1.7.17, 1.7.18, 1.7.19, 1.7.20, 1.7.21, 1.7.22, 1.7.23, 1.7.24, 1.7.25, 1.7.26, 1.7.27
rubygems:rack
PURL: pkg:gem/rack
>= 1.3.0, < 1.3.6, >= 1.2.0, < 1.2.5, < 1.1.3 1.3.6, 1.2.5, 1.1.3
3,634 Dependent packages
1,043,594 Dependent repositories
1,142,901,516 Downloads total

Affected Version Ranges

All affected versions

0.1.0, 0.2.0, 0.3.0, 0.4.0, 0.9.0, 0.9.1, 1.0.0, 1.0.1, 1.1.0, 1.1.1, 1.1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5

All unaffected versions

1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.2.17, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.1.11, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.2.0, 3.2.1

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

References:

Identifiers

GHSA-v6j3-7jrw-hq2p

CVE-2011-5036

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.01278

EPSS Percentile: 0.78503

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

over 3 years ago

Updated

about 2 years ago

API

JSON