CVE-2022-30123Improper Neutralization of Escape, Meta, or Control Sequences in Project Rack

CWE-150Improper Neutralization of Escape, Meta, or Control SequencesCWE-179Incorrect Behavior Order: Early Validation13 documents7 sources
Severity
10.0CRITICALNVD
OSV7.5OSV5.9
EPSS
2.1%
top 16.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Rack Project RackRackHttps Github.com Rack Rack+1 more
Timeline
PublishedDec 5
Latest updateSep 26

Description

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 3.9 | Impact: 6.0

Affected Packages3 packages

RubyGemsrack/rack2.12.1.4.1+2
NVDrack_project/rack2.1.02.1.4.1+2
CVEListV5https/github.com_rack_rack2.0.9.1, 2.1.4.1, 2.2.3.1

Also affects: Debian Linux 11.0

🔴Vulnerability Details

7
OSV
ruby-rack vulnerabilities2024-09-26
OSV
ruby-rack vulnerabilities2023-02-27
OSV
ruby-rack vulnerabilities2022-12-13
OSV
CVE-2022-30123: A sequence injection vulnerability exists in Rack <22022-12-05
CVEList
CVE-2022-30123: A sequence injection vulnerability exists in Rack <22022-12-05

📋Vendor Advisories

5
Ubuntu
Rack vulnerabilities2024-09-26
Ubuntu
Rack vulnerabilities2023-02-27
Ubuntu
Rack vulnerabilities2022-12-13
Red Hat
rubygem-rack: crafted requests can cause shell escape sequences2022-05-27
Debian
CVE-2022-30123: ruby-rack - A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3....2022
CVE-2022-30123 — Rack Project Rack vulnerability | cvebase