CVE-2015-3225 — Uncontrolled Resource Consumption in Rack

CWE-19 CWE-400 — Uncontrolled Resource Consumption11 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

10.5%

top 6.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack Rack Project Rack Debian Linux +1 more

Timeline

PublishedJul 26

Latest updateOct 24

Description

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶RubyGemsrack/rack1.5.0 — 1.5.4+2

▶NVDrack_project/rack1.5.3+2

▶NVDopensuse/opensuse13.1, 13.2+1

Also affects: Debian Linux 7.0, 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Rack vulnerable to Denial of Service via large parameter depth request↗2017-10-24

▶

OSV

Rack vulnerable to Denial of Service via large parameter depth request↗2017-10-24

▶

CVEList

CVE-2015-3225: lib/rack/utils↗2015-07-26

▶

OSV

CVE-2015-3225: lib/rack/utils↗2015-07-26

▶

📋Vendor Advisories

Red Hat

rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()↗2015-06-16

▶

Debian

CVE-2015-3225: ruby-rack - lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby...↗2015

▶

💬Community

Bugzilla

CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [epel-all]↗2015-07-31

▶

Bugzilla

CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params() [fedora-all]↗2015-07-31

▶

HackerOne

Denial of Service in Action Pack Exception Handling↗2015-06-16

▶

Bugzilla

CVE-2015-3225 rubygem-rack: Potential Denial of Service Vulnerability in Rack normalize_params()↗2015-06-16

▶