-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2022-30122.yml
47 lines (39 loc) · 1.35 KB
/
CVE-2022-30122.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
---
gem: rack
cve: 2022-30122
ghsa: hxqx-xwvh-44m2
url: https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
title: Denial of Service Vulnerability in Rack Multipart Parsing
date: 2022-06-27
description: |
There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.
Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
## Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.
Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:
```
params = Rack::Multipart.parse_multipart(env)
```
But it also includes reading POST data from a Rack request object like this:
```
p request.POST # read POST data
p request.params # reads both query params and POST data
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
## Workarounds
There are no feasible workarounds for this issue.
cvss_v3: 7.5
unaffected_versions:
- "< 1.2"
patched_versions:
- "~> 2.0.9, >= 2.0.9.1"
- "~> 2.1.4, >= 2.1.4.1"
- ">= 2.2.3.1"