CVE-2022-44571

Published: 9 February 2023

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

Priority

Cvss 3 Severity Score

7.5

Score breakdown

Status

Package	Release	Status
ruby-rack Launchpad, Ubuntu, Debian	bionic	Released (1.6.4-4ubuntu0.2+esm4) Available with Ubuntu Pro
	focal	Released (2.0.7-2ubuntu0.1+esm3) Available with Ubuntu Pro
	jammy	Released (2.1.4-5ubuntu1+esm3) Available with Ubuntu Pro
	kinetic	Ignored (end of life, was needed)
	lunar	Not vulnerable (2.2.4-3)
	mantic	Not vulnerable (2.2.4-3)
	trusty	Released (1.5.2-3+deb8u3ubuntu1~esm6) Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
	upstream	Released (2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1)
	xenial	Released (1.6.4-3ubuntu0.2+esm4) Available with Ubuntu Pro
	Patches: upstream: https://github.com/rack/rack/commit/4e33ad10bf5f16d25c156f905bcc548e7f787bc3 upstream: https://github.com/rack/rack/commit/9b5fb5c7ef0e39b959a6c5c0005d9af44a29d6f8 upstream: https://github.com/rack/rack/commit/ee25ab9a7ee981d7578f559701085b0cf39bde77

Severity score breakdown

Parameter	Value
Base score	7.5
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

Bugs

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›