usn-7036-1
Vulnerability from osv_ubuntu
Published
2024-09-26 04:19
Modified
2026-02-10 04:45
Summary
ruby-rack vulnerabilities
Details

It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-30122)

It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application. (CVE-2022-30123)

It was discovered that Rack did not properly structure regular expressions in some of its parsing components, which could result in uncontrolled resource consumption if an application using Rack received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-44570, CVE-2022-44571)

It was discovered that Rack did not properly structure regular expressions in its multipart parsing component, which could result in uncontrolled resource consumption if an application using Rack to parse multipart posts received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-44572)

It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2023-27530)

It was discovered that Rack incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2023-27539)

It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A remote attacker could possibly use this issue to cause Rack to create large responses, leading to a denial of service. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2024-26146)


{
  "affected": [
    {
      "database_specific": {
        "cves_map": {
          "cves": [
            {
              "id": "CVE-2022-30122",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-30123",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-44570",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-44571",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2022-44572",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2023-27530",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2023-27539",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-25126",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-26141",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            },
            {
              "id": "CVE-2024-26146",
              "severity": [
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                  "type": "CVSS_V3"
                },
                {
                  "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                  "type": "CVSS_V3"
                },
                {
                  "score": "medium",
                  "type": "Ubuntu"
                }
              ]
            }
          ],
          "ecosystem": "Ubuntu:22.04:LTS"
        }
      },
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "ruby-rack",
            "binary_version": "2.1.4-5ubuntu1.1"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "ruby-rack",
        "purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.1?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.1.4-5ubuntu1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "2.1.4-3",
        "2.1.4-4",
        "2.1.4-5",
        "2.1.4-5ubuntu1"
      ]
    }
  ],
  "aliases": [],
  "details": "It was discovered that Rack was not properly parsing data when processing\nmultipart POST requests. If a user or automated system were tricked into\nsending a specially crafted multipart POST request to an application using\nRack, a remote attacker could possibly use this issue to cause a denial of\nservice. (CVE-2022-30122)\n\nIt was discovered that Rack was not properly escaping untrusted data when\nperforming logging operations, which could cause shell escaped sequences\nto be written to a terminal. If a user or automated system were tricked\ninto sending a specially crafted request to an application using Rack, a\nremote attacker could possibly use this issue to execute arbitrary code in\nthe machine running the application. (CVE-2022-30123)\n\nIt was discovered that Rack did not properly structure regular expressions\nin some of its parsing components, which could result in uncontrolled\nresource consumption if an application using Rack received specially\ncrafted input. A remote attacker could possibly use this issue to cause a\ndenial of service. (CVE-2022-44570, CVE-2022-44571)\n\nIt was discovered that Rack did not properly structure regular expressions\nin its multipart parsing component, which could result in uncontrolled\nresource consumption if an application using Rack to parse multipart posts\nreceived specially crafted input. A remote attacker could possibly use\nthis issue to cause a denial of service. (CVE-2022-44572)\n\nIt was discovered that Rack incorrectly handled Multipart MIME parsing.\nA remote attacker could possibly use this issue to cause Rack to consume\nresources, leading to a denial of service. (CVE-2023-27530)\n\nIt was discovered that Rack incorrectly handled certain regular\nexpressions. A remote attacker could possibly use this issue to cause\nRack to consume resources, leading to a denial of service.\n(CVE-2023-27539)\n\nIt was discovered that Rack incorrectly parsed certain media types. A\nremote attacker could possibly use this issue to cause Rack to consume\nresources, leading to a denial of service. (CVE-2024-25126)\n\nIt was discovered that Rack incorrectly handled certain Range headers. A\nremote attacker could possibly use this issue to cause Rack to create\nlarge responses, leading to a denial of service. (CVE-2024-26141)\n\nIt was discovered that Rack incorrectly handled certain crafted headers. A\nremote attacker could possibly use this issue to cause Rack to consume\nresources, leading to a denial of service. (CVE-2024-26146)\n",
  "id": "USN-7036-1",
  "modified": "2026-02-10T04:45:27Z",
  "published": "2024-09-26T04:19:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-7036-1"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-30122"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-30123"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-44570"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-44571"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2022-44572"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-27530"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2023-27539"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-25126"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-26141"
    },
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2024-26146"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.launchpad.net/ubuntu/+source/ruby-rack/+bug/2078711"
    }
  ],
  "related": [],
  "schema_version": "1.7.0",
  "summary": "ruby-rack vulnerabilities",
  "upstream": [
    "UBUNTU-CVE-2022-30122",
    "UBUNTU-CVE-2022-30123",
    "UBUNTU-CVE-2022-44570",
    "UBUNTU-CVE-2022-44571",
    "UBUNTU-CVE-2022-44572",
    "UBUNTU-CVE-2023-27530",
    "UBUNTU-CVE-2023-27539",
    "UBUNTU-CVE-2024-25126",
    "UBUNTU-CVE-2024-26141",
    "UBUNTU-CVE-2024-26146"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…