CVE-2024-35231
published 2024-05-27CVE-2024-35231: rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable…
PriorityP343high8.6CVSS 3.1
AVNACLPRNUINSCCNINAH
EPSS
0.66%
47.0th percentile
rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rack | rack-contrib | < 2.5.0 | 2.5.0 |
| rack | rack-contrib | >= 0 < 2.5.0 | 2.5.0 |
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
osv8.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
osv·2024-05-28
CVE-2024-35231 [HIGH] rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
### Summary
The next ruby code is vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not contrained to any limitation. Which would lead to allocating resources on the server side with no limitation (CWE-770).
```ruby
runs = (request.params['profiler_runs'] || @times).to_i
result = @profile.profile do
runs.times { @app.call(env) }
end
```
An exploit as such `curl --fail "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"` may cause resource exhaution by a remotely controlled value.
### PoC
Herein the `config.ru` file:
```ruby
require 'rack'
require 'rack/contrib'
use Rack::Profiler # if ENV['RACK_ENV']
GHSA
rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
ghsa·2024-05-28
CVE-2024-35231 [HIGH] CWE-770 rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter
### Summary
The next ruby code is vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not contrained to any limitation. Which would lead to allocating resources on the server side with no limitation (CWE-770).
```ruby
runs = (request.params['profiler_runs'] || @times).to_i
result = @profile.profile do
runs.times { @app.call(env) }
end
```
An exploit as such `curl --fail "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"` may cause resource exhaution by a remotely controlled value.
### PoC
Herein the `config.ru` file:
```ruby
require 'rack'
require 'rack/contrib'
use Rack::Profiler # if ENV['RACK_ENV']
OSV
CVE-2024-35231: rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface
osv·2024-05-27·CVSS 8.6
CVE-2024-35231 [HIGH] CVE-2024-35231: rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface
rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7https://github.com/rack/rack-contrib/security/advisories/GHSA-8c8q-2xw3-j869https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7https://github.com/rack/rack-contrib/security/advisories/GHSA-8c8q-2xw3-j869
2024-05-27
Published