THREATINT

We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Fathom (Privacy friendly web analytics)
Zendesk (Helpdesk and Chat)

Ok

Home | EN
Support
CVE
PUBLISHED

CVE-2024-39316

Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

AssignerGitHub_M
Reserved2024-06-21
Published2024-07-02
Updated2024-07-03

Description

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix.



MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-1333: Inefficient Regular Expression Complexity

Product status

>= 3.1.0, < 3.1.5
affected

References

https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058

cve.org CVE-2024-39316

nvd.nist.gov CVE-2024-39316

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-39316
Find us on
Data Privacy
Terms of Use
Logo Silicon Valley Europe
Logo BSI Allianz für Cyber-Sicherheit