-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2024-26146.yml
42 lines (34 loc) · 1.36 KB
/
CVE-2024-26146.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
---
gem: rack
cve: 2024-26146
ghsa: 54rr-7fvw-6x8f
url: https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
title: Possible Denial of Service Vulnerability in Rack Header Parsing
date: 2024-02-21
description: |
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
# Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. `Accept` and
`Forwarded` headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using
Ruby 3.2 or newer are unaffected.
# Releases
The fixed releases are available at the normal locations.
# Workarounds
There are no feasible workarounds for this issue.
patched_versions:
- "~> 2.0.9, >= 2.0.9.4"
- "~> 2.1.4, >= 2.1.4.4"
- "~> 2.2.8, >= 2.2.8.1"
- ">= 3.0.9.1"
related:
url:
- https://github.com/rack/rack/releases/tag/v3.0.9.1
- https://github.com/rack/rack/releases/tag/v2.2.8.1
- https://nvd.nist.gov/vuln/detail/CVE-2024-26146
- https://access.redhat.com/security/cve/cve-2024-26146
- https://ubuntu.com/security/CVE-2024-26146