cve-2024-26146
Vulnerability from cvelistv5
Published
2024-02-28 23:28
Modified
2024-08-01 23:59
Summary
Possible Denial of Service Vulnerability in Rack Header Parsing
References
security-advisories@github.comhttps://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
security-advisories@github.comhttps://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
security-advisories@github.comhttps://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
security-advisories@github.comhttps://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
security-advisories@github.comhttps://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
security-advisories@github.comhttps://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
security-advisories@github.comhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
security-advisories@github.comhttps://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
security-advisories@github.comhttps://security.netapp.com/advisory/ntap-20240510-0006/
af854a3a-2127-422b-91ae-364da2661108https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
af854a3a-2127-422b-91ae-364da2661108https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
af854a3a-2127-422b-91ae-364da2661108https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20240510-0006/
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rack_project:rack:2.2.0:*:*:*:*:ruby:*:*",
              "cpe:2.3:a:rack_project:rack:2.1.0:*:*:*:*:ruby:*:*",
              "cpe:2.3:a:rack_project:rack:3.0.0:-:*:*:*:ruby:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rack",
            "vendor": "rack_project",
            "versions": [
              {
                "lessThan": "2.1.4.4",
                "status": "affected",
                "version": "2.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "2.2.8.1",
                "status": "affected",
                "version": "2.2.0",
                "versionType": "custom"
              },
              {
                "lessThan": "3.0.9.1",
                "status": "affected",
                "version": "3.0.0",
                "versionType": "custom"
              }
            ]
          },
          {
            "cpes": [
              "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rack",
            "vendor": "rack_project",
            "versions": [
              {
                "lessThan": "2.0.9.4",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26146",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-29T17:31:54.207314Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-07-25T16:39:52.274Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:59:32.576Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
          },
          {
            "name": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"
          },
          {
            "name": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"
          },
          {
            "name": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"
          },
          {
            "name": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"
          },
          {
            "name": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
          },
          {
            "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240510-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rack",
          "vendor": "rack",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.9.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.2.0, \u003c 2.2.8.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.1.0, \u003c 2.1.4.4"
            },
            {
              "status": "affected",
              "version": "\u003c 2.0.9.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.\n"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-28T23:28:01.158Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
        },
        {
          "name": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"
        },
        {
          "name": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"
        },
        {
          "name": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"
        },
        {
          "name": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"
        },
        {
          "name": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
        },
        {
          "name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240510-0006/"
        }
      ],
      "source": {
        "advisory": "GHSA-54rr-7fvw-6x8f",
        "discovery": "UNKNOWN"
      },
      "title": "Possible Denial of Service Vulnerability in Rack Header Parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-26146",
    "datePublished": "2024-02-28T23:28:01.158Z",
    "dateReserved": "2024-02-14T17:40:03.689Z",
    "dateUpdated": "2024-08-01T23:59:32.576Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26146\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-29T00:15:51.597\",\"lastModified\":\"2024-11-21T09:02:01.697\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.\\n\"},{\"lang\":\"es\",\"value\":\"Rack es una interfaz modular de servidor web Ruby. Los encabezados cuidadosamente elaborados pueden hacer que el an\u00e1lisis de encabezados en Rack demore m\u00e1s de lo esperado, lo que resulta en un posible problema de denegaci\u00f3n de servicio. Los encabezados Aceptar y Reenviar se ven afectados. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rack que usan Ruby 3.2 o posterior no se ven afectadas. Esta vulnerabilidad se solucion\u00f3 en 2.0.9.4, 2.1.4.4, 2.2.8.1 y 3.0.9.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240510-0006/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240510-0006/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.