CVE-2022-44572Uncontrolled Resource Consumption in Rack

CWE-400Uncontrolled Resource ConsumptionCWE-1333Regex Denial of Service12 documents8 sources
Severity
7.5HIGHNVD
EPSS
0.3%
top 49.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RackHttps Github.com Rack Rack
Timeline
PublishedFeb 9
Latest updateSep 26

Description

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDrack/rack2.1.02.1.4.2+2
RubyGemsrack/rack2.0.02.0.9.2+3
CVEListV5https/github.com_rack_rack2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1

🔴Vulnerability Details

6
OSV
ruby-rack vulnerabilities2024-09-26
OSV
ruby-rack vulnerabilities2023-03-02
OSV
CVE-2022-44572: A denial of service vulnerability in the multipart parsing component of Rack fixed in 22023-02-09
CVEList
CVE-2022-44572: A denial of service vulnerability in the multipart parsing component of Rack fixed in 22023-02-09
GHSA
Denial of service via multipart parsing in Rack2023-01-18

📋Vendor Advisories

4
Ubuntu
Rack vulnerabilities2024-09-26
Ubuntu
Rack vulnerabilities2023-03-02
Red Hat
rubygem-rack: denial of service in Content-Disposition parsing2023-01-20
Debian
CVE-2022-44572: ruby-rack - A denial of service vulnerability in the multipart parsing component of Rack fix...2022

💬Community

1
HackerOne
[CVE-2022-44572] Possible Denial of Service Vulnerability in Rack’s RFC2183 boundary parsing2023-07-27
CVE-2022-44572 — Uncontrolled Resource Consumption | cvebase