CVE-2022-44571 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-44571

CVE-2022-44571

February 09, 2023

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

Affected Packages

rack (RUBY):

Affected version(s) >=3.0.0 <3.0.4.1

Fix Suggestion:

Update to version 3.0.4.1

rack (RUBY):

Affected version(s) >=2.1.0 <2.1.4.2

Fix Suggestion:

Update to version 2.1.4.2

rack (RUBY):

Affected version(s) >=2.2.0 <2.2.6.1

Fix Suggestion:

Update to version 2.2.6.1

rack (RUBY):

Affected version(s) >=2.0.0 <2.0.9.2

Fix Suggestion:

Update to version 2.0.9.2

Related Resources (7)

https://security.netapp.com/advisory/ntap-20231208-0013/

https://github.com/rack/rack

https://nvd.nist.gov/vuln/detail/CVE-2022-44571

https://www.debian.org/security/2023/dsa-5530

https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126

https://github.com/rack/rack/releases/tag/v3.0.4.1

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

NONE

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Weakness Type (CWE)

Uncontrolled Resource Consumption

CWE-400

Inefficient Regular Expression Complexity

CWE-1333

EPSS

Base Score:

3.1

Products

Solutions

Resources

Company

Compare

Developer Tools