CVE-2024-35231

rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.

CVSS v3 8.6 HIGH

8.6^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7
https://github.com/rack/rack-contrib/security/advisories/GHSA-8c8q-2xw3-j869

Configurations

No configuration.

History

28 May 2024, 12:39

Type	Values Removed	Values Added
Summary		(es) rack-contrib proporciona middleware y utilidades de rack para Rack, una interfaz de servidor web Ruby. Las versiones de rack-contrib anteriores a la 2.5.0 son vulnerables a la denegación de servicio debido al hecho de que los datos controlados por el usuario "profiler_runs" no estaban sujetos a ninguna limitación. Esto conduciría a la asignación de recursos en el lado del servidor sin limitación y a una posible denegación de servicio mediante datos controlados remotamente por el usuario. La versión 2.5.0 contiene un parche para el problema.

27 May 2024, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-05-27 17:15

Updated : 2024-05-28 12:39

NVD link : CVE-2024-35231

Mitre link : CVE-2024-35231

CVE.ORG link : CVE-2024-35231

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

8.6 /10