-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-35231.yml
38 lines (29 loc) · 985 Bytes
/
CVE-2024-35231.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
---
gem: rack-contrib
cve: 2024-35231
ghsa: 8c8q-2xw3-j869
url: https://nvd.nist.gov/vuln/detail/CVE-2024-35231
title: Denial of Service in rack-contrib via "profiler_runs" parameter
date: 2024-05-27
description: |
rack-contrib prior to version 2.5.0 is vulnerable to a Denial of Service
via the `profiler_runs` HTTP request parameter.
Versions Affected: < 2.5.0
Fixed Versions: >= 2.5.0
# Impact
An attacker can trigger a Denial of Service by sending an HTTP request with
an overly large `profiler_runs` parameter.
```shell
curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"
```
# Releases
The fixed releases are available at the normal locations.
# Workarounds
There are no feasible workarounds for this issue.
cvss_v3: 8.6
patched_versions:
- ">= 2.5.0"
related:
url:
- https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7
- https://github.com/advisories/GHSA-8c8q-2xw3-j869