GHSA-hxqx-xwvh-44m2

Suggest an improvement
Source
https://github.com/advisories/GHSA-hxqx-xwvh-44m2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hxqx-xwvh-44m2/GHSA-hxqx-xwvh-44m2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hxqx-xwvh-44m2
Aliases
Published
2022-05-27T16:36:52Z
Modified
2024-02-18T05:27:39.361222Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Denial of Service Vulnerability in Rack Multipart Parsing
Details

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122.

Versions Affected: >= 1.2 Not affected: < 1.2 Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

But it also includes reading POST data from a Rack request object like this:

p request.POST # read POST data
p request.params # reads both query params and POST data

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

References

Affected packages

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2
Fixed
2.0.9.1

Affected versions

1.*

1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.3.0.beta
1.3.0.beta2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0.beta.1
1.5.0.beta.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0.beta
1.6.0.beta2
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13

2.*

2.0.0.alpha
2.0.0.rc1
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9

Database specific

{
    "last_known_affected_version_range": "<= 2.0.9.0"
}

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.1
Fixed
2.1.4.1

Affected versions

2.*

2.1.0
2.1.1
2.1.2
2.1.3
2.1.4

Database specific

{
    "last_known_affected_version_range": "<= 2.1.4.0"
}

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.2
Fixed
2.2.3.1

Affected versions

2.*

2.2.0
2.2.1
2.2.2
2.2.3

Database specific

{
    "last_known_affected_version_range": "<= 2.2.3.0"
}