OpenCVE

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:M/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Cloudforms Cloudengine	1
Rack Project	Rack
Rhel Sam	1.2

Configuration 1 [-]

OR	cpe:2.3:a:rack_project:rack::::::::
	cpe:2.3:a:rack_project:rack:0.1:::::::*
	cpe:2.3:a:rack_project:rack:0.2:::::::*
	cpe:2.3:a:rack_project:rack:0.3:::::::*
	cpe:2.3:a:rack_project:rack:0.4:::::::*
	cpe:2.3:a:rack_project:rack:0.9:::::::*
	cpe:2.3:a:rack_project:rack:0.9.1:::::::*
	cpe:2.3:a:rack_project:rack:1.0.0:::::::*
	cpe:2.3:a:rack_project:rack:1.0.1:::::::*
	cpe:2.3:a:rack_project:rack:1.1.0:::::::*
	cpe:2.3:a:rack_project:rack:1.1.2:::::::*

Configuration 2 [-]

OR	cpe:2.3:a:rack_project:rack:1.2.0:::::::*
	cpe:2.3:a:rack_project:rack:1.2.1:::::::*
	cpe:2.3:a:rack_project:rack:1.2.2:::::::*
	cpe:2.3:a:rack_project:rack:1.2.3:::::::*
	cpe:2.3:a:rack_project:rack:1.2.4:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:rack_project:rack:1.3.0:::::::*
	cpe:2.3:a:rack_project:rack:1.3.1:::::::*
	cpe:2.3:a:rack_project:rack:1.3.2:::::::*
	cpe:2.3:a:rack_project:rack:1.3.3:::::::*
	cpe:2.3:a:rack_project:rack:1.3.4:::::::*
	cpe:2.3:a:rack_project:rack:1.3.5:::::::*
	cpe:2.3:a:rack_project:rack:1.3.6:::::::*

Configuration 4 [-]

OR	cpe:2.3:a:rack_project:rack:1.4.0:::::::*
	cpe:2.3:a:rack_project:rack:1.4.1:::::::*

Package	CPE	Advisory	Released Date
CloudForms for RHEL 6
rubygem-activesupport-1:3.0.10-10.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-delayed_job-0:2.1.4-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rack-1:1.3.0-3.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rails_warden-0:0.5.5-2.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rdoc-0:3.8-6.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-rspec-rails-0:2.6.1-7.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-ruby_parser-0:2.0.4-6.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
rubygem-shoulda-0:2.11.3-5.el6cf	cpe:/a:cloudforms_cloudengine:1::el6	RHSA-2013:0548	2013-02-21T00:00:00Z
Red Hat Subscription Asset Manager 1.2
apache-commons-codec-0:1.7-2.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
apache-mime4j-0:0.6-4_redhat_1.ep6.el6.1	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
candlepin-0:0.7.23-1.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
elasticsearch-0:0.19.9-5.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
katello-0:1.2.1-15h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
katello-certs-tools-0:1.2.1-1h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
katello-cli-0:1.2.1-12h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
katello-configure-0:1.2.3-3h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
katello-selinux-0:1.2.1-2h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
lucene3-0:3.6.1-10h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
puppet-0:2.6.17-2.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
quartz-0:2.1.5-4.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
rubygem-activesupport-1:3.0.10-10.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
rubygem-apipie-rails-0:0.0.12-2.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
rubygem-ldap_fluff-0:0.1.3-1.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
rubygem-mail-0:2.3.0-3.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
rubygem-rack-1:1.3.0-3.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
rubygem-ruby_parser-0:2.0.4-6.el6cf	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
sigar-0:1.6.5-0.12.git58097d9h.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
snappy-java-0:1.0.4-2.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z
thumbslug-0:0.0.28-1.el6_3	cpe:/a:rhel_sam:1.2::el6	RHSA-2013:0544	2013-02-21T00:00:00Z

References

Link	Providers
http://rack.github.com/
http://rhn.redhat.com/errata/RHSA-2013-0544.html
http://rhn.redhat.com/errata/RHSA-2013-0548.html
https://bugzilla.redhat.com/show_bug.cgi?id=895277
https://github.com/rack/rack/blob/master/README.rdoc
https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5
https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
https://nvd.nist.gov/vuln/detail/CVE-2012-6109
https://www.cve.org/CVERecord?id=CVE-2012-6109

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-03-01T02:00:00Z

Updated: 2024-08-06T21:28:39.300Z

Reserved: 2012-12-06T00:00:00Z

Link: CVE-2012-6109

Vulnrichment

No data.

NVD

Status : Modified

Published: 2013-03-01T05:40:16.863

Modified: 2023-02-13T00:27:11.367

Link: CVE-2012-6109

Redhat

Severity : Moderate

Publid Date: 2012-05-04T00:00:00Z

Links: CVE-2012-6109 - Bugzilla

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

Metrics

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object