Headline
GHSA-54rr-7fvw-6x8f: Rack Header Parsing leads to Possible Denial of Service Vulnerability
Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146.
Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.
Patches
To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 2-0-header-redos.patch - Patch for 2.0 series
- 2-1-header-redos.patch - Patch for 2.1 series
- 2-2-header-redos.patch - Patch for 2.2 series
- 3-0-header-redos.patch - Patch for 3.0 series
Credits
Thanks to svalkanov for reporting this and providing patches!
Skip to content
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-26146
Rack Header Parsing leads to Possible Denial of Service Vulnerability
Low severity GitHub Reviewed Published Feb 28, 2024 in rack/rack • Updated Feb 28, 2024
Package
Affected versions
>= 3.0.0, < 3.0.9.1
>= 2.2.0, < 2.2.8.1
>= 2.1.0, < 2.1.4.4
< 2.0.9.4
Patched versions
3.0.9.1
2.2.8.1
2.1.4.4
2.0.9.4
Description
Published to the GitHub Advisory Database
Feb 28, 2024
Last updated
Feb 28, 2024
Related news
Ubuntu Security Notice 7036-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.
Ubuntu Security Notice 6837-2 - It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Rack incorrectly handled certain Range headers. A remote attacker could possibly use this issue to cause Rack to create large responses, leading to a denial of service.
Ubuntu Security Notice 6837-1 - It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service.
Red Hat Security Advisory 2024-3431-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.
Debian Linux Security Advisory 5698-1 - Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service.
Red Hat Security Advisory 2024-2584-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2581-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-2007-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1846-03 - An update for pcs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-1841-03 - An update for pcs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6689-1 - It was discovered that Rack incorrectly parse some headers. An attacker could possibly use this issue to cause a denial of service.