Fluid Attacks Database

Description

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ruby-rack	=2.1.4-3 \|\| =2.1.4-3+deb11u1 \|\| >=0 <2.1.4-3+deb11u2	2.1.4-3+deb11u2
debian 12	ruby-rack	=2.2.6.4-1 \|\| >=0 <2.2.6.4-1+deb12u1	2.2.6.4-1+deb12u1
debian 13	ruby-rack	>=0 <2.2.7-1.1	2.2.7-1.1
debian 14	ruby-rack	>=0 <2.2.7-1.1	2.2.7-1.1
rubygems	rack	>=3.0.0 <3.0.9.1 \|\| >=0.4 <2.2.8.1	3.0.9.1, 2.2.8.1
rpm rhel7	pcs	-	-
rpm rhel8	pcs	<0:0.10.18-2.el8_10	0:0.10.18-2.el8_10
rpm rhel9	pcs	<0:0.11.7-2.el9_4	0:0.11.7-2.el9_4
rpm rhel9.0	pcs	<0:0.11.1-10.el9_0.5	0:0.11.1-10.el9_0.5
rpm rhel8.6	pcs	<0:0.10.12-6.el8_6.5	0:0.10.12-6.el8_6.5

1-10 of 12

Aliases

1. CVE-2024-251262. NVD-2024-251263. OSV-DEBIAN-2024-251264. OSV-2024-251265. GHSA-22f2-v57c-j9cx6. GCVE-2024-251267. SECURITY-TRACKER-CVE-2024-251268. lists.debian.org

References

1. https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx2. https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd5434623. https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf494. https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/849415. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml6. https://security.netapp.com/advisory/ntap-20240510-0005