-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2024-39316.yml
34 lines (31 loc) · 1.22 KB
/
CVE-2024-39316.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
---
gem: rack
cve: 2024-39316
ghsa: cj83-2ww7-mvq7
url: https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7
title: Rack ReDoS Vulnerability in HTTP Accept Headers Parsing
date: 2024-07-03
description: |
### Summary
A Regular Expression Denial of Service (ReDoS) vulnerability exists
in the `Rack::Request::Helpers` module when parsing HTTP Accept headers.
This vulnerability can be exploited by an attacker sending specially
crafted `Accept-Encoding` or `Accept-Language` headers, causing the
server to spend excessive time processing the request and leading
to a Denial of Service (DoS).
### Details
The fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
was not applied to the main branch and thus while the issue was fixed
for the Rack v3.0 release series, it was not fixed in the v3.1
release series until v3.1.5.
cvss_v3: 6.5
unaffected_versions:
- "< 3.1.0"
patched_versions:
- ">= 3.1.5"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2024-39316
- https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7
- https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058
- https://github.com/advisories/GHSA-cj83-2ww7-mvq7