CVE-2023-27530Uncontrolled Resource Consumption in Rack

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-20Improper Input Validation14 documents8 sources
Severity
7.5HIGHNVD
EPSS
2.1%
top 15.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
RackHttps Github.com Rack RackDebian Linux
Timeline
PublishedMar 10
Latest updateSep 26

Description

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDrack/rack2.1.02.1.4.3+3
RubyGemsrack/rack2.1.02.1.4.3+3
CVEListV5https/github.com_rack_rack3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: discuss.rubyonrails.orgPatch: discuss.rubyonrails.org

🔴Vulnerability Details

7
OSV
ruby-rack vulnerabilities2024-09-26
OSV
ruby-rack vulnerabilities2024-07-23
OSV
ruby-rack vulnerabilities2024-06-17
CVEList
CVE-2023-27530: A DoS vulnerability exists in Rack <v32023-03-10
OSV
CVE-2023-27530: A DoS vulnerability exists in Rack <v32023-03-10

📋Vendor Advisories

5
Ubuntu
Rack vulnerabilities2024-09-26
Ubuntu
Rack vulnerabilities2024-07-23
Ubuntu
Rack vulnerabilities2024-06-17
Red Hat
rubygem-rack: Denial of service in Multipart MIME parsing2023-03-08
Debian
CVE-2023-27530: ruby-rack - A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3...2023

💬Community

1
HackerOne
Possible DoS Vulnerability in Multipart MIME parsing in rack2023-04-27
CVE-2023-27530 — Uncontrolled Resource Consumption | cvebase