There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3298-1 ruby-rack security update
Debian DSA Debian DSA DSA-5530-1 ruby-rack security update
EUVD EUVD EUVD-2023-0420 There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
Github GHSA Github GHSA GHSA-93pm-5p5f-3ghx Denial of Service Vulnerability in Rack Content-Disposition parsing
Ubuntu USN Ubuntu USN USN-5910-1 Rack vulnerabilities
Ubuntu USN Ubuntu USN USN-7036-1 Rack vulnerabilities
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 13 Feb 2025 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
CPEs cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:* cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
Vendors & Products Rack Project
Rack Project rack
Rack
Rack rack

cve-icon MITRE

Status: PUBLISHED

Assigner: hackerone

Published:

Updated: 2024-08-03T13:54:03.839Z

Reserved: 2022-11-01T00:00:00

Link: CVE-2022-44571

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-02-09T20:15:11.153

Modified: 2025-02-13T15:37:40.953

Link: CVE-2022-44571

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-01-20T00:00:00Z

Links: CVE-2022-44571 - Bugzilla

cve-icon OpenCVE Enrichment

No data.