{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-27530", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "dateUpdated": "2024-10-15T18:33:52.509Z", "dateReserved": "2023-03-02T00:00:00", "datePublished": "2023-03-10T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-12-08T22:06:17.311008"}, "descriptions": [{"lang": "en", "value": "A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected."}], "affected": [{"vendor": "n/a", "product": "https://github.com/rack/rack", "versions": [{"version": "3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3", "status": "affected"}]}], "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388"}, {"name": "[debian-lts-announce] 20230417 [SECURITY] [DLA 3392-1] ruby-rack security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"}, {"name": "DSA-5530", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2023/dsa-5530"}, {"url": "https://security.netapp.com/advisory/ntap-20231208-0015/"}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "Denial of Service (CWE-400)", "cweId": "CWE-400"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:16:35.562Z"}, "title": "CVE Program Container", "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20230417 [SECURITY] [DLA 3392-1] ruby-rack security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"}, {"name": "DSA-5530", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2023/dsa-5530"}, {"url": "https://security.netapp.com/advisory/ntap-20231208-0015/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-770", "lang": "en", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T17:29:06.360143Z", "id": "CVE-2023-27530", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T18:33:52.509Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html", "name": "[debian-lts-announce] 20230417 [SECURITY] [DLA 3392-1] ruby-rack security update", "tags": ["mailing-list", "x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5530", "name": "DSA-5530", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231208-0015/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:16:35.562Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-27530", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-15T17:29:06.360143Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T18:03:49.609Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "https://github.com/rack/rack", "versions": [{"status": "affected", "version": "3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3"}]}], "references": [{"url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html", "name": "[debian-lts-announce] 20230417 [SECURITY] [DLA 3392-1] ruby-rack security update", "tags": ["mailing-list"]}, {"url": "https://www.debian.org/security/2023/dsa-5530", "name": "DSA-5530", "tags": ["vendor-advisory"]}, {"url": "https://security.netapp.com/advisory/ntap-20231208-0015/"}], "descriptions": [{"lang": "en", "value": "A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "Denial of Service (CWE-400)"}]}], "providerMetadata": {"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone", "dateUpdated": "2023-12-08T22:06:17.311008"}}}, "cveMetadata": {"cveId": "CVE-2023-27530", "state": "PUBLISHED", "dateUpdated": "2024-10-15T18:33:52.509Z", "dateReserved": "2023-03-02T00:00:00", "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "datePublished": "2023-03-10T00:00:00", "assignerShortName": "hackerone"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "ABB9DD7F-2F39-4C38-9683-57AA06B525C3", "versionEndExcluding": "2.0.9.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "6E69D220-E282-40B2-938F-F416FF5F2FE3", "versionEndExcluding": "2.1.4.3", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "35858B11-E928-4F12-ADF8-6F61BA96352B", "versionEndExcluding": "2.2.6.3", "versionStartIncluding": "2.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "79788C0A-E1F1-42EE-9858-B04B10F8FA6B", "versionEndExcluding": "3.0.4.2", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected."}], "id": "CVE-2023-27530", "lastModified": "2024-11-21T07:53:06.430", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-10T22:15:10.497", "references": [{"source": "support@hackerone.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388"}, {"source": "support@hackerone.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20231208-0015/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5530"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231208-0015/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2023/dsa-5530"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3082", "cpe": "cpe:/a:redhat:enterprise_linux:8::highavailability", "package": "pcs-0:0.10.15-4.el8_8.1", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-05-16T00:00:00Z"}, {"advisory": "RHSA-2023:1961", "cpe": "cpe:/a:redhat:rhel_eus:8.4::highavailability", "package": "pcs-0:0.10.8-1.el8_4.4", "product_name": "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date": "2023-04-25T00:00:00Z"}, {"advisory": "RHSA-2023:3403", "cpe": "cpe:/a:redhat:rhel_eus:8.6::highavailability", "package": "pcs-0:0.10.12-6.el8_6.4", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-05-31T00:00:00Z"}, {"advisory": "RHSA-2023:2652", "cpe": "cpe:/a:redhat:enterprise_linux:9::highavailability", "package": "pcs-0:0.11.4-7.el9_2", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:1981", "cpe": "cpe:/a:redhat:rhel_eus:9.0::highavailability", "package": "pcs-0:0.11.1-10.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-04-25T00:00:00Z"}, {"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite:6.14::el8", "package": "rubygem-rack-0:2.2.7-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}, {"advisory": "RHSA-2023:6818", "cpe": "cpe:/a:redhat:satellite_capsule:6.14::el8", "package": "rubygem-rack-0:2.2.7-1.el8sat", "product_name": "Red Hat Satellite 6.14 for RHEL 8", "release_date": "2023-11-08T00:00:00Z"}], "bugzilla": {"description": "rubygem-rack: Denial of service in Multipart MIME parsing", "id": "2176477", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2176477"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.", "A flaw was found in rubygem-rack. This issue occurs in the Multipart MIME parsing code in Rack, which limits the number of file parts but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected, resulting in a denial of service."], "name": "CVE-2023-27530", "package_state": [{"cpe": "cpe:/a:redhat:logging:5", "fix_state": "Affected", "package_name": "openshift-logging/fluentd-rhel8", "product_name": "Logging Subsystem for Red Hat OpenShift"}, {"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3scale-amp-zync-container", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "pcs", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-rack", "product_name": "Red Hat Storage 3"}], "public_date": "2023-03-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-27530\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27530\nhttps://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388\nhttps://github.com/rubysec/ruby-advisory-db/tree/master/gems/rack/CVE-2023-27530.yml"], "threat_severity": "Moderate", "upstream_fix": "rubygem-rack 3.0.4.2, rubygem-rack 2.2.6.3, rubygem-rack 2.1.4.3, rubygem-rack 2.0.9.3"}