Advisories ยป MGASA-2023-0106

Updated ruby-rack packages fix security vulnerability

Publication date: 24 Mar 2023
Modification date: 24 Mar 2023
Type: security
Affected Mageia releases : 8
CVE: CVE-2022-44570 , CVE-2022-44571 , CVE-2022-44572 , CVE-2023-27530

Description

A denial of service vulnerability in the Range header parsing component of
Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing
component in Rack to take an unexpected amount of time, possibly resulting
in a denial of service attack vector. Any applications that deal with Range
requests (such as streaming applications, or applications that serve files)
may be impacted. (CVE-2022-44570)

There is a denial of service vulnerability in the Content-Disposition
parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This
could allow an attacker to craft an input that can cause Content-Disposition
header parsing in Rackto take an unexpected amount of time, possibly
resulting in a denial ofservice attack vector. This header is used typically
used in multipartparsing. Any applications that parse multipart posts using
Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571)

A denial of service vulnerability in the multipart parsing component of Rack
fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker to
craft input that can cause RFC2183 multipart boundary parsing in Rack to
take an unexpected amount of time, possibly resulting in a denial of service
attack vector. Any applications that parse multipart posts using Rack
(virtually all Rails applications) are impacted. (CVE-2022-44572)

A DoS vulnerability exists in Rack

References

SRPMS

8/core