DoS Vulnerability in Rack's Multipart Parser Leading to Resource Exhaustion
CVE-2018-16470

7.5HIGH

Key Information:

Vendor: Rack
Status: Rack
Vendor: CVE Published:; 13 November 2018

What is CVE-2018-16470?

A Denial of Service vulnerability exists in the multipart parser of Rack, affecting versions prior to 2.0.6. This vulnerability allows attackers to send specially crafted requests, triggering the parser to enter a pathological state. As a result, the parser consumes excessive CPU resources in relation to the size of the request, potentially disrupting service and affecting application performance.

Affected Version(s)

Rack 2.0.6

References

https://groups.google.com/forum/#%21msg/rubyonrails-secur...

x_refsource_MISC

https://access.redhat.com/errata/RHSA-2019:3172

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 13, 2018
Vulnerability Reserved
Sep 4, 2018