-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2024-26141.yml
41 lines (33 loc) · 1.33 KB
/
CVE-2024-26141.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
---
gem: rack
cve: 2024-26141
ghsa: xj5v-6v4g-jfw6
url: https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
title: Possible DoS Vulnerability with Range Header in Rack
date: 2024-02-21
description: |
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1
# Impact
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.
Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).
# Releases
The fixed releases are available at the normal locations.
# Workarounds
There are no feasible workarounds for this issue.
unaffected_versions:
- "< 1.3.0"
patched_versions:
- "~> 2.2.8, >= 2.2.8.1"
- ">= 3.0.9.1"
related:
url:
- https://github.com/rack/rack/releases/tag/v3.0.9.1
- https://github.com/rack/rack/releases/tag/v2.2.8.1
- https://nvd.nist.gov/vuln/detail/CVE-2024-25141
- https://access.redhat.com/security/cve/cve-2024-26141
- https://ubuntu.com/security/CVE-2024-26141