Related vulnerabilities
gsd-2011-5036
Vulnerability from gsd
Modified
2011-12-28 00:00
Details
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2011-5036",
"description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"id": "GSD-2011-5036",
"references": [
"https://www.suse.com/security/cve/CVE-2011-5036.html",
"https://www.debian.org/security/2013/dsa-2783"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack",
"purl": "pkg:gem/rack"
}
}
],
"aliases": [
"CVE-2011-5036",
"OSVDB-78121"
],
"details": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"id": "GSD-2011-5036",
"modified": "2011-12-28T00:00:00.000Z",
"published": "2011-12-28T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5036",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.nruns.com/_downloads/advisory28122011.pdf",
"refsource": "MISC",
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "https://gist.github.com/52bbc6b9cc19ce330829",
"refsource": "CONFIRM",
"url": "https://gist.github.com/52bbc6b9cc19ce330829"
},
{
"name": "VU#903934",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "DSA-2783",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2013/dsa-2783"
},
{
"name": "http://www.ocert.org/advisories/ocert-2011-003.html",
"refsource": "MISC",
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2011-5036",
"cvss_v2": 5.0,
"date": "2011-12-28",
"description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"gem": "rack",
"osvdb": 78121,
"patched_versions": [
"~\u003e 1.1.3",
"~\u003e 1.2.5",
"~\u003e 1.3.6",
"\u003e= 1.4.0"
],
"title": "CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5036"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.1.3||\u003e=1.2.0 \u003c1.2.5||\u003e=1.3.0.beta \u003c1.3.6",
"affected_versions": "All versions before 1.1.3, all versions starting from 1.2.0 before 1.2.5, all versions starting from 1.3.0.beta before 1.3.6",
"credit": "James Tucker",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-310",
"CWE-937"
],
"date": "2013-10-30",
"description": "This package contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.",
"fixed_versions": [
"1.1.3",
"1.2.5",
"1.3.6",
"1.4.0"
],
"identifier": "CVE-2011-5036",
"identifiers": [
"CVE-2011-5036"
],
"not_impacted": "All versions starting from 1.1.3 before 1.2.0, all versions starting from 1.2.5 before 1.3.0.beta, all versions starting from 1.3.6",
"package_slug": "gem/rack",
"pubdate": "2011-12-29",
"solution": "Upgrade to versions 1.1.3, 1.2.5, 1.3.6, 1.4.0 or above.",
"title": "Hash Collision Form Parameter Parsing Remote DoS",
"urls": [
"http://osvdb.org/show/osvdb/78121",
"https://github.com/rack/rack/commit/09c5e53f11a491c25bef873ed146842f3cd03228"
],
"uuid": "91c10b9d-8a39-4a86-b6a1-7285cddf1d53"
},
{
"affected_range": "(,1.6.5.1)",
"affected_versions": "All versions before 1.6.5.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-310",
"CWE-937"
],
"date": "2023-03-27",
"description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"fixed_versions": [
"1.6.5.1"
],
"identifier": "CVE-2011-5036",
"identifiers": [
"GHSA-v6j3-7jrw-hq2p",
"CVE-2011-5036"
],
"not_impacted": "All versions starting from 1.6.5.1",
"package_slug": "maven/org.jruby/jruby-parent",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 1.6.5.1 or above.",
"title": "Rack subject to Denial of Service via hash collisions",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2011-5036",
"https://gist.github.com/52bbc6b9cc19ce330829",
"http://www.debian.org/security/2013/dsa-2783",
"http://www.kb.cert.org/vuls/id/903934",
"http://www.ocert.org/advisories/ocert-2011-003.html",
"https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1",
"https://github.com/advisories/GHSA-v6j3-7jrw-hq2p"
],
"uuid": "87cc4514-94d9-45d1-bb2d-1e027bc594cd"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5036"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#903934",
"refsource": "CERT-VN",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "https://gist.github.com/52bbc6b9cc19ce330829",
"refsource": "CONFIRM",
"tags": [
"Exploit"
],
"url": "https://gist.github.com/52bbc6b9cc19ce330829"
},
{
"name": "http://www.ocert.org/advisories/ocert-2011-003.html",
"refsource": "MISC",
"tags": [],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
},
{
"name": "http://www.nruns.com/_downloads/advisory28122011.pdf",
"refsource": "MISC",
"tags": [],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "DSA-2783",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2013/dsa-2783"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-10-31T03:21Z",
"publishedDate": "2011-12-30T01:55Z"
}
}
}