Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (rack version) |
Remediation Possible** |
CVE-2022-30123 |
Critical |
10.0 |
rack-1.6.13.gem |
Direct |
rack - 2.0.9.1,2.1.4.1,2.2.3.1 |
❌ |
CVE-2020-8161 |
High |
8.6 |
rack-1.6.13.gem |
Direct |
2.2.0,2.1.3 |
❌ |
CVE-2023-27539 |
High |
7.5 |
rack-1.6.13.gem |
Direct |
rack - 2.2.6.4,3.0.6.1 |
❌ |
CVE-2022-44571 |
High |
7.5 |
rack-1.6.13.gem |
Direct |
rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1 |
❌ |
CVE-2022-44570 |
High |
7.5 |
rack-1.6.13.gem |
Direct |
rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1 |
❌ |
CVE-2022-30122 |
High |
7.5 |
rack-1.6.13.gem |
Direct |
rack - 2.0.9.1,2.1.4.1,2.2.3.1 |
❌ |
CVE-2020-8184 |
High |
7.5 |
rack-1.6.13.gem |
Direct |
rack - 2.1.4, 2.2.3 |
❌ |
CVE-2024-26141 |
Medium |
5.8 |
rack-1.6.13.gem |
Direct |
rack - 2.2.8.1,3.0.9.1 |
❌ |
CVE-2024-26146 |
Medium |
5.3 |
rack-1.6.13.gem |
Direct |
rack - 2.0.9.4,2.1.4.4,2.2.8.1,3.0.9.1 |
❌ |
CVE-2024-25126 |
Medium |
5.3 |
rack-1.6.13.gem |
Direct |
rack - 2.2.8.1,3.0.9.1 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-30123
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.
Publish Date: 2022-12-05
URL: CVE-2022-30123
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wq4h-7r42-5hrr
Release Date: 2022-12-05
Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1
Step up your Open Source Security Game with Mend here
CVE-2020-8161
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
Publish Date: 2020-07-02
URL: CVE-2020-8161
CVSS 3 Score Details (8.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-02
Fix Resolution: 2.2.0,2.1.3
Step up your Open Source Security Game with Mend here
CVE-2023-27539
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. The issue is fixed versions 2.2.6.4 and 3.0.6.1
Publish Date: 2023-03-03
URL: CVE-2023-27539
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Release Date: 2023-03-03
Fix Resolution: rack - 2.2.6.4,3.0.6.1
Step up your Open Source Security Game with Mend here
CVE-2022-44571
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44571
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-93pm-5p5f-3ghx
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
Step up your Open Source Security Game with Mend here
CVE-2022-44570
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Publish Date: 2023-02-09
URL: CVE-2022-44570
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-65f5-mfpf-vfhj
Release Date: 2023-02-09
Fix Resolution: rack - 2.0.9.2,2.1.4.2,2.2.6.2,3.0.4.1
Step up your Open Source Security Game with Mend here
CVE-2022-30122
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
Publish Date: 2022-12-05
URL: CVE-2022-30122
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-hxqx-xwvh-44m2
Release Date: 2022-12-05
Fix Resolution: rack - 2.0.9.1,2.1.4.1,2.2.3.1
Step up your Open Source Security Game with Mend here
CVE-2020-8184
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
Publish Date: 2020-06-19
URL: CVE-2020-8184
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://groups.google.com/forum/#!topic/rubyonrails-security/OWtmozPH9Ak
Release Date: 2020-06-19
Fix Resolution: rack - 2.1.4, 2.2.3
Step up your Open Source Security Game with Mend here
CVE-2024-26141
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File
middleware or the Rack::Utils.byte_ranges
methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
Publish Date: 2024-02-29
URL: CVE-2024-26141
CVSS 3 Score Details (5.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-26141
Release Date: 2024-02-29
Fix Resolution: rack - 2.2.8.1,3.0.9.1
Step up your Open Source Security Game with Mend here
CVE-2024-26146
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
Publish Date: 2024-02-29
URL: CVE-2024-26146
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-26146
Release Date: 2024-02-29
Fix Resolution: rack - 2.0.9.4,2.1.4.4,2.2.8.1,3.0.9.1
Step up your Open Source Security Game with Mend here
CVE-2024-25126
Vulnerable Library - rack-1.6.13.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Also see http://rack.github.io/.
Library home page: https://rubygems.org/gems/rack-1.6.13.gem
Path to dependency file: /Gemfile.lock
Path to vulnerable library: /7.0/cache/rack-1.6.13.gem
Dependency Hierarchy:
- ❌ rack-1.6.13.gem (Vulnerable Library)
Found in HEAD commit: 1e3f41f567efc94b726bb551e7ca5af662bbed03
Found in base branch: master
Vulnerability Details
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
Publish Date: 2024-02-29
URL: CVE-2024-25126
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-22f2-v57c-j9cx
Release Date: 2024-02-29
Fix Resolution: rack - 2.2.8.1,3.0.9.1
Step up your Open Source Security Game with Mend here