Products
rack-contrib
- before 2.5.0
Source
security-advisories@github.com
Tags
CVE-2024-35231 details
Published : May 27, 2024, 5:15 p.m.
Last Modified : May 27, 2024, 5:15 p.m.
Last Modified : May 27, 2024, 5:15 p.m.
Description
rack-contrib provides contributed rack middleware and utilities for Rack, a Ruby web server interface. Versions of rack-contrib prior to 2.5.0 are vulnerable to denial of service due to the fact that the user controlled data `profiler_runs` was not constrained to any limitation. This would lead to allocating resources on the server side with no limitation and a potential denial of service by remotely user-controlled data. Version 2.5.0 contains a patch for the issue.
CVSS Score
| 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8.6 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|
CVSS Data
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
Scope
CHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
8.6
Exploitability Score
Impact Score
Base Severity
HIGH
Vector String : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
References
| URL | Source |
|---|---|
| https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7 | security-advisories@github.com |
| https://github.com/rack/rack-contrib/security/advisories/GHSA-8c8q-2xw3-j869 | security-advisories@github.com |
This website uses the NVD API, but is not approved or certified by it.