Denial of Service Vulnerability in Rack Affects Rails Applications
CVE-2022-44572

7.5HIGH

Key Information:

Vendor: Rack Project
Status: Https://github.com/rack/rack
Vendor: CVE Published:; 9 February 2023

What is CVE-2022-44572?

A vulnerability in the multipart parsing component of Rack allows attackers to craft malicious input that can significantly delay the parsing of multipart boundaries according to RFC2183. This delay may lead to a denial of service, impacting virtually all Rails applications that utilize Rack for handling multipart posts. The issue affects several versions of Rack, necessitating immediate awareness and mitigation efforts by developers to protect their applications from potential service disruptions.

Affected Version(s)

https://github.com/rack/rack 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1

References

https://hackerone.com/reports/1639882

https://www.debian.org/security/2023/dsa-5530

vendor-advisory

https://security.netapp.com/advisory/ntap-20231208-0014/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 9, 2023
Vulnerability Reserved
Nov 1, 2022

Rack Project

What is CVE-2022-44572?

Affected Version(s)

References

CVSS V3.1

Timeline