CVE-2011-5036Inefficient Algorithmic Complexity in Rack

CWE-310CWE-407Inefficient Algorithmic ComplexityCWE-328Use of Weak HashCWE-400Uncontrolled Resource Consumption11 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
1.3%
top 20.42%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RackRack Project Rack
Timeline
PublishedDec 30
Latest updateMay 17

Description

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages2 packages

RubyGemsrack/rack1.2.01.2.5+2
NVDrack_project/rack1.1.0+11

🔴Vulnerability Details

4
OSV
Rack Gem Subject to Denial of Service via Hash Collisions2022-05-17
GHSA
Rack Gem Subject to Denial of Service via Hash Collisions2022-05-17
CVEList
CVE-2011-5036: Rack before 12011-12-30
OSV
CVE-2011-5036: Rack before 12011-12-30

📋Vendor Advisories

2
Red Hat
rubygem-rack: hash table collisions DoS (oCERT-2011-003)2011-12-28
Debian
CVE-2011-5036: ruby-rack - Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash valu...2011

💬Community

4
Bugzilla
CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)2012-01-02
Bugzilla
CVE-2011-5036 CVE-2013-0184 rubygem-rack various flaws [epel-all]2012-01-02
Bugzilla
CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003) [fedora-all]2012-01-02
Bugzilla
CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003) [epel-5]2012-01-02
CVE-2011-5036 — Inefficient Algorithmic Complexity | cvebase