Fluid Attacks Database

Description

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	rack	>=3.0.0 <3.0.9.1 \|\| >=1.3.0 <2.2.8.1	3.0.9.1, 2.2.8.1
debian 11	ruby-rack	=2.1.4-3 \|\| =2.1.4-3+deb11u1 \|\| >=0 <2.1.4-3+deb11u2	2.1.4-3+deb11u2
debian 12	ruby-rack	=2.2.6.4-1 \|\| >=0 <2.2.6.4-1+deb12u1	2.2.6.4-1+deb12u1
debian 13	ruby-rack	>=0 <2.2.7-1.1	2.2.7-1.1
debian 14	ruby-rack	>=0 <2.2.7-1.1	2.2.7-1.1
rpm rhel8	pcs	<0:0.10.18-2.el8_10	0:0.10.18-2.el8_10
rpm rhel9	pcs	<0:0.11.7-2.el9_4	0:0.11.7-2.el9_4
rpm rhel7	pcs	-	-
rpm rhel8.8	pcs	<0:0.10.15-4.el8_8.2	0:0.10.15-4.el8_8.2
rpm rhel8.6	pcs	<0:0.10.12-6.el8_6.5	0:0.10.12-6.el8_6.5

1-10 of 12

Aliases

1. CVE-2024-261412. NVD-2024-261413. OSV-2024-261414. OSV-DEBIAN-2024-261415. GHSA-xj5v-6v4g-jfw66. GCVE-2024-261417. SECURITY-TRACKER-CVE-2024-26141

References

1. https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw62. https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d93. https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b4. https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/849445. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml