cve-2024-26146
Vulnerability from cvelistv5
Published
2024-02-28 23:28
Modified
2025-02-13 17:41
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
References
security-advisories@github.comhttps://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942Vendor Advisory
security-advisories@github.comhttps://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716Patch
security-advisories@github.comhttps://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582Patch
security-advisories@github.comhttps://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6fPatch
security-advisories@github.comhttps://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccdPatch
security-advisories@github.comhttps://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8fVendor Advisory
security-advisories@github.comhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.ymlThird Party Advisory
security-advisories@github.comhttps://lists.debian.org/debian-lts-announce/2024/04/msg00022.htmlMailing List
security-advisories@github.comhttps://security.netapp.com/advisory/ntap-20240510-0006/Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582Patch
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6fPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccdPatch
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8fVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.ymlThird Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/04/msg00022.htmlMailing List
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240510-0006/Third Party Advisory
Impacted products
Vendor Product Version
rack rack Version: >= 3.0.0, < 3.0.9.1
Version: >= 2.2.0, < 2.2.8.1
Version: >= 2.1.0, < 2.1.4.4
Version: < 2.0.9.4
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            affected: [
               {
                  cpes: [
                     "cpe:2.3:a:rack_project:rack:2.2.0:*:*:*:*:ruby:*:*",
                     "cpe:2.3:a:rack_project:rack:2.1.0:*:*:*:*:ruby:*:*",
                     "cpe:2.3:a:rack_project:rack:3.0.0:-:*:*:*:ruby:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "rack",
                  vendor: "rack_project",
                  versions: [
                     {
                        lessThan: "2.1.4.4",
                        status: "affected",
                        version: "2.1.0",
                        versionType: "custom",
                     },
                     {
                        lessThan: "2.2.8.1",
                        status: "affected",
                        version: "2.2.0",
                        versionType: "custom",
                     },
                     {
                        lessThan: "3.0.9.1",
                        status: "affected",
                        version: "3.0.0",
                        versionType: "custom",
                     },
                  ],
               },
               {
                  cpes: [
                     "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
                  ],
                  defaultStatus: "unknown",
                  product: "rack",
                  vendor: "rack_project",
                  versions: [
                     {
                        lessThan: "2.0.9.4",
                        status: "affected",
                        version: "0",
                        versionType: "custom",
                     },
                  ],
               },
            ],
            metrics: [
               {
                  other: {
                     content: {
                        id: "CVE-2024-26146",
                        options: [
                           {
                              Exploitation: "none",
                           },
                           {
                              Automatable: "yes",
                           },
                           {
                              "Technical Impact": "partial",
                           },
                        ],
                        role: "CISA Coordinator",
                        timestamp: "2024-02-29T17:31:54.207314Z",
                        version: "2.0.3",
                     },
                     type: "ssvc",
                  },
               },
            ],
            providerMetadata: {
               dateUpdated: "2024-07-25T16:39:52.274Z",
               orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
               shortName: "CISA-ADP",
            },
            title: "CISA ADP Vulnrichment",
         },
         {
            providerMetadata: {
               dateUpdated: "2024-08-01T23:59:32.576Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  name: "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
                  tags: [
                     "x_refsource_CONFIRM",
                     "x_transferred",
                  ],
                  url: "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
               },
               {
                  name: "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
               },
               {
                  name: "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
               },
               {
                  name: "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
               },
               {
                  name: "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
               },
               {
                  name: "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
               },
               {
                  name: "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
                  tags: [
                     "x_refsource_MISC",
                     "x_transferred",
                  ],
                  url: "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://security.netapp.com/advisory/ntap-20240510-0006/",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "rack",
               vendor: "rack",
               versions: [
                  {
                     status: "affected",
                     version: ">= 3.0.0, < 3.0.9.1",
                  },
                  {
                     status: "affected",
                     version: ">= 2.2.0, < 2.2.8.1",
                  },
                  {
                     status: "affected",
                     version: ">= 2.1.0, < 2.1.4.4",
                  },
                  {
                     status: "affected",
                     version: "< 2.0.9.4",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.",
            },
         ],
         metrics: [
            {
               cvssV3_1: {
                  attackComplexity: "LOW",
                  attackVector: "NETWORK",
                  availabilityImpact: "LOW",
                  baseScore: 5.3,
                  baseSeverity: "MEDIUM",
                  confidentialityImpact: "NONE",
                  integrityImpact: "NONE",
                  privilegesRequired: "NONE",
                  scope: "UNCHANGED",
                  userInteraction: "NONE",
                  vectorString: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  version: "3.1",
               },
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-1333",
                     description: "CWE-1333: Inefficient Regular Expression Complexity",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2024-06-10T17:12:58.798Z",
            orgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
            shortName: "GitHub_M",
         },
         references: [
            {
               name: "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
               tags: [
                  "x_refsource_CONFIRM",
               ],
               url: "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
            },
            {
               name: "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
            },
            {
               name: "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
            },
            {
               name: "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
            },
            {
               name: "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
            },
            {
               name: "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
            },
            {
               name: "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
               tags: [
                  "x_refsource_MISC",
               ],
               url: "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
            },
            {
               url: "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html",
            },
            {
               url: "https://security.netapp.com/advisory/ntap-20240510-0006/",
            },
         ],
         source: {
            advisory: "GHSA-54rr-7fvw-6x8f",
            discovery: "UNKNOWN",
         },
         title: "Possible Denial of Service Vulnerability in Rack Header Parsing",
      },
   },
   cveMetadata: {
      assignerOrgId: "a0819718-46f1-4df5-94e2-005712e83aaa",
      assignerShortName: "GitHub_M",
      cveId: "CVE-2024-26146",
      datePublished: "2024-02-28T23:28:01.158Z",
      dateReserved: "2024-02-14T17:40:03.689Z",
      dateUpdated: "2025-02-13T17:41:07.669Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2024-26146\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-29T00:15:51.597\",\"lastModified\":\"2025-02-14T15:51:42.200\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.\"},{\"lang\":\"es\",\"value\":\"Rack es una interfaz modular de servidor web Ruby. Los encabezados cuidadosamente elaborados pueden hacer que el análisis de encabezados en Rack demore más de lo esperado, lo que resulta en un posible problema de denegación de servicio. Los encabezados Aceptar y Reenviar se ven afectados. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rack que usan Ruby 3.2 o posterior no se ven afectadas. Esta vulnerabilidad se solucionó en 2.0.9.4, 2.1.4.4, 2.2.8.1 y 3.0.9.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"0.4\",\"versionEndExcluding\":\"2.0.9.4\",\"matchCriteriaId\":\"8C61CB94-A5BE-4B72-B243-F935A4652B0B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"2.1.0\",\"versionEndExcluding\":\"2.1.4.4\",\"matchCriteriaId\":\"B5402B9E-EE8A-41A3-87CB-E17C57E5F692\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"2.2.0\",\"versionEndExcluding\":\"2.2.8.1\",\"matchCriteriaId\":\"4F7D6529-12DB-4466-A0AB-DED4653D3E0B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240510-0006/\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20240510-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}",
      vulnrichment: {
         containers: "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\", \"name\": \"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\", \"name\": \"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\", \"name\": \"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\", \"name\": \"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\", \"name\": \"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\", \"name\": \"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\", \"name\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240510-0006/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:59:32.576Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-26146\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-29T17:31:54.207314Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:rack_project:rack:2.2.0:*:*:*:*:ruby:*:*\", \"cpe:2.3:a:rack_project:rack:2.1.0:*:*:*:*:ruby:*:*\", \"cpe:2.3:a:rack_project:rack:3.0.0:-:*:*:*:ruby:*:*\"], \"vendor\": \"rack_project\", \"product\": \"rack\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.1.0\", \"lessThan\": \"2.1.4.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"2.2.0\", \"lessThan\": \"2.2.8.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"3.0.9.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}, {\"cpes\": [\"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*\"], \"vendor\": \"rack_project\", \"product\": \"rack\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"2.0.9.4\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-07-25T16:39:01.836Z\"}}], \"cna\": {\"title\": \"Possible Denial of Service Vulnerability in Rack Header Parsing\", \"source\": {\"advisory\": \"GHSA-54rr-7fvw-6x8f\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"rack\", \"product\": \"rack\", \"versions\": [{\"status\": \"affected\", \"version\": \">= 3.0.0, < 3.0.9.1\"}, {\"status\": \"affected\", \"version\": \">= 2.2.0, < 2.2.8.1\"}, {\"status\": \"affected\", \"version\": \">= 2.1.0, < 2.1.4.4\"}, {\"status\": \"affected\", \"version\": \"< 2.0.9.4\"}]}], \"references\": [{\"url\": \"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\", \"name\": \"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\", \"name\": \"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\", \"name\": \"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\", \"name\": \"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\", \"name\": \"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\", \"name\": \"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\", \"name\": \"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240510-0006/\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-06-10T17:12:58.798Z\"}}}",
         cveMetadata: "{\"cveId\": \"CVE-2024-26146\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-02-13T17:41:07.669Z\", \"dateReserved\": \"2024-02-14T17:40:03.689Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-28T23:28:01.158Z\", \"assignerShortName\": \"GitHub_M\"}",
         dataType: "CVE_RECORD",
         dataVersion: "5.1",
      },
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.