CVE-2012-6109 — Infinite Loop in Rack

CWE-835 — Infinite Loop8 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

0.8%

top 25.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack Rack Project Rack

Timeline

PublishedMar 1

Latest updateOct 24

Description

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶RubyGemsrack/rack1.2.0 — 1.2.6+3

▶NVDrack_project/rack1.1.3+24

🔴Vulnerability Details

GHSA

Rack vulnerable to REDoS↗2017-10-24

▶

OSV

Rack vulnerable to REDoS↗2017-10-24

▶

CVEList

CVE-2012-6109: lib/rack/multipart↗2013-03-01

▶

OSV

CVE-2012-6109: lib/rack/multipart↗2013-03-01

▶

📋Vendor Advisories

Red Hat

rubygem-rack: parsing Content-Disposition header DoS↗2012-05-04

▶

Debian

CVE-2012-6109: ruby-rack - lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3...↗2012

▶

💬Community

Bugzilla

CVE-2012-6109 rubygem-rack: parsing Content-Disposition header DoS↗2013-01-14

▶