CVE-2012-6109
published 2013-03-01CVE-2012-6109: lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows…
PriorityP418medium4.3CVSS 2.0
AVNACMAuNCNINAP
EPSS
2.72%
84.2th percentile
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 1.4.1-2.1 (bookworm) | ruby-rack 1.4.1-2.1 (bookworm) |
| rack | rack | >= 0 < 1.1.4 | 1.1.4 |
| rack | rack | >= 1.2.0 < 1.2.6 | 1.2.6 |
| rack | rack | >= 1.3.0 < 1.3.7 | 1.3.7 |
| rack | rack | >= 1.4.0 < 1.4.2 | 1.4.2 |
| rack_project | rack | <= 1.1.3 | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv4.3MEDIUM
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Rack vulnerable to REDoS
ghsa·2017-10-24
CVE-2012-6109 [MEDIUM] CWE-835 Rack vulnerable to REDoS
Rack vulnerable to REDoS
`lib/rack/multipart.rb` in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
OSV
Rack vulnerable to REDoS
osv·2017-10-24
CVE-2012-6109 [MEDIUM] Rack vulnerable to REDoS
Rack vulnerable to REDoS
`lib/rack/multipart.rb` in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
OSV
CVE-2012-6109: lib/rack/multipart
osv·2013-03-01·CVSS 4.3
CVE-2012-6109 [MEDIUM] CVE-2012-6109: lib/rack/multipart
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
Red Hat
rubygem-rack: parsing Content-Disposition header DoS
vendor_redhat·2012-05-04·CVSS 4.3
CVE-2012-6109 [MEDIUM] CWE-835 rubygem-rack: parsing Content-Disposition header DoS
rubygem-rack: parsing Content-Disposition header DoS
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
Package: rubygem193-rack (OpenShift Enterprise 1) - Will not fix
Package: rubygem-rack (OpenShift Enterprise 1) - Will not fix
Package: rubygem-rack (Red Hat Enterprise MRG 2) - Affected
Debian
CVE-2012-6109: ruby-rack - lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3...
vendor_debian·2012·CVSS 4.3
CVE-2012-6109 [MEDIUM] CVE-2012-6109: ruby-rack - lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3...
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
Scope: local
bookworm: resolved (fixed in 1.4.1-2.1)
bullseye: resolved (fixed in 1.4.1-2.1)
forky: resolved (fixed in 1.4.1-2.1)
sid: resolved (fixed in 1.4.1-2.1)
trixie: resolved (fixed in 1.4.1-2.1)
No detection rules found.
No public exploits indexed.
http://rack.github.com/http://rhn.redhat.com/errata/RHSA-2013-0544.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0548.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=895277https://github.com/rack/rack/blob/master/README.rdochttps://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJhttp://rack.github.com/http://rhn.redhat.com/errata/RHSA-2013-0544.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0548.htmlhttps://bugzilla.redhat.com/show_bug.cgi?id=895277https://github.com/rack/rack/blob/master/README.rdochttps://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
2013-03-01
Published