CVE-2015-3225
published 2015-07-26CVE-2015-3225: lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a…
PriorityP428medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
7.78%
93.9th percentile
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | ruby-rack | < ruby-rack 1.5.2-4 (bookworm) | ruby-rack 1.5.2-4 (bookworm) |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| rack | rack | >= 1.4.0 < 1.4.6 | 1.4.6 |
| rack | rack | >= 1.5.0 < 1.5.4 | 1.5.4 |
| rack | rack | >= 1.6.0 < 1.6.2 | 1.6.2 |
| rack_project | rack | <= 1.5.3 | — |
| rack_project | rack | — | — |
| rack_project | rack | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Rack vulnerable to Denial of Service via large parameter depth request
ghsa·2017-10-24
CVE-2015-3225 [MEDIUM] Rack vulnerable to Denial of Service via large parameter depth request
Rack vulnerable to Denial of Service via large parameter depth request
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
OSV
Rack vulnerable to Denial of Service via large parameter depth request
osv·2017-10-24
CVE-2015-3225 [MEDIUM] Rack vulnerable to Denial of Service via large parameter depth request
Rack vulnerable to Denial of Service via large parameter depth request
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
OSV
CVE-2015-3225: lib/rack/utils
osv·2015-07-26·CVSS 5.0
CVE-2015-3225 [MEDIUM] CVE-2015-3225: lib/rack/utils
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
Red Hat
rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
vendor_redhat·2015-06-16·CVSS 5.0
CVE-2015-3225 [MEDIUM] CWE-400 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
A flaw was found in a way Rack processed parameters of incoming requests. An attacker could use this flaw to send a crafted request that would cause an application using Rack to crash.
Package: ruby193-rubygem-rack (CloudForms Management Engine 5) - Will not fix
Package: rubygem-rack (OpenStack Foreman) - Will not fix
Package: rubygem-rack (Red Hat Enterprise MRG 2) - Will not fix
Package: rubygem-rack (Red Hat OpenShift Enterprise 2) - Will not fix
Package: rh-ror41-
Debian
CVE-2015-3225: ruby-rack - lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby...
vendor_debian·2015·CVSS 5.0
CVE-2015-3225 [MEDIUM] CVE-2015-3225: ruby-rack - lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby...
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
Scope: local
bookworm: resolved (fixed in 1.5.2-4)
bullseye: resolved (fixed in 1.5.2-4)
forky: resolved (fixed in 1.5.2-4)
sid: resolved (fixed in 1.5.2-4)
trixie: resolved (fixed in 1.5.2-4)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [epel-all]
bugzilla·2015-07-31·CVSS 5.0
CVE-2015-3225 [MEDIUM] CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [epel-all]
CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affe
Bugzilla
CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [fedora-all]
bugzilla·2015-07-31·CVSS 5.0
CVE-2015-3225 [MEDIUM] CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [fedora-all]
CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
HackerOne
Denial of Service in Action Pack Exception Handling
hackerone·2015-06-16
Denial of Service in Action Pack Exception Handling
Denial of Service in Action Pack Exception Handling
# Severity
Medium
# Impact
Attackers can cause an application to be unreachable, causing a denial of service condition.
# Details
When a Rails application receives a request with either body or query parameters, these parameters are converted to a params hash. Hashes can be passed to the application in the form of user[name]=foo&user[address]=bar. Action Pack will then convert this into a hash in the form of `{ user[:name] => "foo", user[:address] => "bar" }`. By passing a very large nested hash in the form of nested_hash[X1][X2]...[Xn], it is possible to create a denial of service condition in the form of a SystemStackError that is not handled properly. See the Bug Notes section on my attempt to figure out where this is occurring.
Bugzilla
CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
bugzilla·2015-06-16·CVSS 5.0
CVE-2015-3225 [MEDIUM] CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()
A potential denial of service vulnerability in Rack was reported.
Carefully crafted requests can cause a `SystemStackError` and potentially cause a denial of service attack.
Patches that fix this are attached.
Acknowledgements:
Red Hat would like to thank Ruby upstream developers for reporting this. Upstream acknowledges Tomek Rabczak from the NCC Group as the original reporter.
Discussion:
Created attachment 1039440
1-5-deep_params.patch
---
Created attachment 1039441
1-6-deep_params.patch
---
This is public now:
http://seclists.org/oss-sec/2015/q2/729
---
From upstream advisory:
"Versions Affected: All.
Not affected: None.
Fixed Versions: 1.6.2, 1.5.4
Impact
Carefully crafted r
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.htmlhttp://lists.opensuse.org/opensuse-updates/2015-07/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2015-07/msg00043.htmlhttp://lists.opensuse.org/opensuse-updates/2015-07/msg00044.htmlhttp://openwall.com/lists/oss-security/2015/06/16/14http://rhn.redhat.com/errata/RHSA-2015-2290.htmlhttp://www.debian.org/security/2015/dsa-3322http://www.securityfocus.com/bid/75232https://github.com/rack/rack/blob/master/HISTORY.mdhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.htmlhttp://lists.opensuse.org/opensuse-updates/2015-07/msg00040.htmlhttp://lists.opensuse.org/opensuse-updates/2015-07/msg00043.htmlhttp://lists.opensuse.org/opensuse-updates/2015-07/msg00044.htmlhttp://openwall.com/lists/oss-security/2015/06/16/14http://rhn.redhat.com/errata/RHSA-2015-2290.htmlhttp://www.debian.org/security/2015/dsa-3322http://www.securityfocus.com/bid/75232https://github.com/rack/rack/blob/master/HISTORY.mdhttps://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJ
2015-07-26
Published