Possible DoS Vulnerability with Range Header in Rack
CVE-2024-26141

7.5HIGH

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
29 February 2024

What is CVE-2024-26141?

The Rack web server interface contains a vulnerability that allows carefully crafted Range headers to trigger unexpectedly large responses from the server. This flaw impacts applications that utilize the Rack::File middleware or the Rack::Utils.byte_ranges methods, including those built on Ruby on Rails. A successful exploitation of this vulnerability can lead to a denial of service scenario, putting the availability of affected web applications at risk. Mitigation has been addressed in the updates released in versions 3.0.9.1 and 2.2.8.1.

Affected Version(s)

rack >= 3.0.0, < 3.0.9.1 < 3.0.0, 3.0.9.1

rack >= 1.3.0, < 2.2.8.1 < 1.3.0, 2.2.8.1

References

https://github.com/rack/rack/security/advisories/GHSA-xj5...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/4849132bef471adb21131...
x_refsource_MISC
https://github.com/rack/rack/commit/62457686b26d33a15a254...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.
CVE-2024-26141 : Possible DoS Vulnerability with Range Header in Rack