Debian Ruby-Rack vulnerabilities

50 known vulnerabilities affecting debian/ruby-rack.

Total CVEs

50

CISA KEV

0

Public exploits

0

Exploited in wild

0

Severity breakdown

CRITICAL1HIGH18MEDIUM27LOW4

Vulnerabilities

Page 3 of 3

CVE-2019-16782MEDIUMCVSS 6.3fixed in ruby-rack 2.1.1-2 (bookworm)2019

CVE-2019-16782 [MEDIUM] CVE-2019-16782: ruby-rack - There's a possible information leak / session hijack vulnerability in Rack (Ruby... There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of

CVE-2018-16471MEDIUMCVSS 6.1fixed in ruby-rack 1.6.4-6 (bookworm)2018

CVE-2018-16471 [MEDIUM] CVE-2018-16471: ruby-rack - There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully... There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping m

CVE-2018-16470LOWCVSS 7.52018

CVE-2018-16470 [HIGH] CVE-2018-16470: ruby-rack - There is a possible DoS vulnerability in the multipart parser in Rack before 2.0... There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2015-3225MEDIUMCVSS 5.0fixed in ruby-rack 1.5.2-4 (bookworm)2015

CVE-2015-3225 [MEDIUM] CVE-2015-3225: ruby-rack - lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby... lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. Scope: local bookworm: resolved (fixed in 1.5.2-4) bullseye: resolved (fixed in 1.5.2-4) forky: resolved (fixed in 1.5.2-4) sid:

CVE-2013-0262MEDIUMCVSS 4.3fixed in ruby-rack 1.4.1-2.1 (bookworm)2013

CVE-2013-0262 [MEDIUM] CVE-2013-0262: ruby-rack - rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allo... rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." Scope: local bookworm: resolved (fixed in 1.4.1-2.1) bullse

CVE-2013-0184MEDIUMCVSS 4.3fixed in ruby-rack 1.4.1-2.1 (bookworm)2013

CVE-2013-0184 [MEDIUM] CVE-2013-0184: ruby-rack - Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.... Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." Scope: local bookworm: resolved (fixed in 1.4.1-2.1) bullseye: resolved (fixed in 1.4.1-2.1) forky: re

CVE-2013-0263MEDIUMCVSS 5.1fixed in ruby-rack 1.4.1-2.1 (bookworm)2013

CVE-2013-0263 [MEDIUM] CVE-2013-0263: ruby-rack - Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x befo... Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. Scope: local bookworm: resolved (fixed in

CVE-2013-0183MEDIUMCVSS 5.0fixed in ruby-rack 1.4.1-2.1 (bookworm)2013

CVE-2013-0183 [MEDIUM] CVE-2013-0183: ruby-rack - multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows rem... multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. Scope: local bookworm: resolved (fixed in 1.4.1-2.1) bullseye: resolved (fixed in 1.4.1-2.1) forky: resolved (fixed in 1.4.1-2.1) sid: resolved (fixed i

CVE-2012-6109MEDIUMCVSS 4.3fixed in ruby-rack 1.4.1-2.1 (bookworm)2012

CVE-2012-6109 [MEDIUM] CVE-2012-6109: ruby-rack - lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3... lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. Scope: local bookworm: resolved (fixed in 1.4.1-2.1) bullseye: resolved (fixed in 1.4.1-2.1) forky: resolv

CVE-2011-5036MEDIUMCVSS 5.0fixed in ruby-rack 1.4.0-1 (bookworm)2011

CVE-2011-5036 [MEDIUM] CVE-2011-5036: ruby-rack - Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash valu... Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. Scope: local bookworm: resolved (fixed in 1.4.0-1) bullseye: resolved (fixed i

← Previous3 / 3