CVE-2023-27539 (GCVE-0-2023-27539)

Vulnerability from cvelistv5 – Published: 2025-01-09 00:33 – Updated: 2025-01-09 21:24

Summary

There is a denial of service vulnerability in the header parsing component of Rack.

Severity ?

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE

CWE-noinfo Not enough information

Assigner

hackerone

References

7 references

URL	Tags
https://discuss.rubyonrails.org/t/cve-2023-27539-…
https://github.com/advisories/GHSA-c6qg-cjj8-47qp
https://github.com/rack/rack/commit/231ef369ad0b5…
https://github.com/rack/rack/commit/ee7919ea04303…
https://lists.debian.org/debian-lts-announce/2023…
https://security.netapp.com/advisory/ntap-2023120…
https://www.debian.org/security/2023/dsa-5530

Impacted products

1 product

Vendor	Product	Version
Rails	Rack	Affected: 2.2.6.4 , < 2.2.6.4 (custom) Affected: 3.0.6.1 , < 3.0.6.1 (custom)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2023-27539",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-01-09T21:22:46.686498Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-01-09T21:24:51.396Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Rack",
          "vendor": "Rails",
          "versions": [
            {
              "lessThan": "2.2.6.4",
              "status": "affected",
              "version": "2.2.6.4",
              "versionType": "custom"
            },
            {
              "lessThan": "3.0.6.1",
              "status": "affected",
              "version": "3.0.6.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "There is a denial of service vulnerability in the header parsing component of Rack."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-01-09T00:33:47.737Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
        },
        {
          "url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp"
        },
        {
          "url": "https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c"
        },
        {
          "url": "https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20231208-0016/"
        },
        {
          "url": "https://www.debian.org/security/2023/dsa-5530"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2023-27539",
    "datePublished": "2025-01-09T00:33:47.737Z",
    "dateReserved": "2023-03-02T17:14:03.403Z",
    "dateUpdated": "2025-01-09T21:24:51.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2023-27539",
      "date": "2026-05-20",
      "epss": "0.00364",
      "percentile": "0.58577"
    },
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"There is a denial of service vulnerability in the header parsing component of Rack.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de denegaci\\u00f3n de servicio en header parsing component de Rack.\"}]",
      "id": "CVE-2023-27539",
      "lastModified": "2025-01-09T22:15:26.340",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}]}",
      "published": "2025-01-09T01:15:07.483",
      "references": "[{\"url\": \"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://github.com/advisories/GHSA-c6qg-cjj8-47qp\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20231208-0016/\", \"source\": \"support@hackerone.com\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5530\", \"source\": \"support@hackerone.com\"}]",
      "sourceIdentifier": "support@hackerone.com",
      "vulnStatus": "Awaiting Analysis"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2023-27539\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2025-01-09T01:15:07.483\",\"lastModified\":\"2025-10-10T16:31:34.173\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is a denial of service vulnerability in the header parsing component of Rack.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de denegaci\u00f3n de servicio en header parsing component de Rack.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndExcluding\":\"2.2.6.4\",\"matchCriteriaId\":\"C8C60AD6-206D-4111-91A4-99359E29BFE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.0.6.1\",\"matchCriteriaId\":\"947A74FA-86B2-47DA-8477-ADA81EC19966\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA6FEEC2-9F11-4643-8827-749718254FED\"}]}]}],\"references\":[{\"url\":\"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466\",\"source\":\"support@hackerone.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-c6qg-cjj8-47qp\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\",\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20231208-0016/\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2023/dsa-5530\",\"source\":\"support@hackerone.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2023-27539\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-01-09T21:22:46.686498Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-01-09T21:24:44.958Z\"}}], \"cna\": {\"affected\": [{\"vendor\": \"Rails\", \"product\": \"Rack\", \"versions\": [{\"status\": \"affected\", \"version\": \"2.2.6.4\", \"lessThan\": \"2.2.6.4\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"3.0.6.1\", \"lessThan\": \"3.0.6.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466\"}, {\"url\": \"https://github.com/advisories/GHSA-c6qg-cjj8-47qp\"}, {\"url\": \"https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c\"}, {\"url\": \"https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20231208-0016/\"}, {\"url\": \"https://www.debian.org/security/2023/dsa-5530\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"There is a denial of service vulnerability in the header parsing component of Rack.\"}], \"providerMetadata\": {\"orgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"shortName\": \"hackerone\", \"dateUpdated\": \"2025-01-09T00:33:47.737Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2023-27539\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-01-09T21:24:51.396Z\", \"dateReserved\": \"2023-03-02T17:14:03.403Z\", \"assignerOrgId\": \"36234546-b8fa-4601-9d6f-f4e334aa8ea1\", \"datePublished\": \"2025-01-09T00:33:47.737Z\", \"assignerShortName\": \"hackerone\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

alsa-2023:2652

Vulnerability from osv_almalinux

Published

2023-05-09 00:00

Modified

2023-05-11 21:30

Summary

Important: pcs security and bug fix update

Details

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

pcs: webpack: Regression of CVE-2023-28154 fixes in the AlmaLinux (CVE-2023-2319)
rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)
rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints (BZ#2180697)
Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources (BZ#2180704)
[WebUI] fence levels prevent loading of cluster status (BZ#2183180)

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:2652	ADVISORY
	https://access.redhat.com/security/cve/CVE-2023-2319	REPORT
	https://access.redhat.com/security/cve/CVE-2023-27530	REPORT
	https://access.redhat.com/security/cve/CVE-2023-27539	REPORT
	https://bugzilla.redhat.com/2176477	REPORT
	https://bugzilla.redhat.com/2179649	REPORT
	https://bugzilla.redhat.com/2190092	REPORT
	https://errata.almalinux.org/9/ALSA-2023-2652.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "pcs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.4-7.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:9",
        "name": "pcs-snmp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.11.4-7.el9_2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* pcs: webpack: Regression of CVE-2023-28154 fixes in the AlmaLinux (CVE-2023-2319)\n* rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)\n* rubygem-rack: denial of service in header parsing (CVE-2023-27539)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Command \u0027pcs config checkpoint diff\u0027 does not show configuration differences between checkpoints (BZ#2180697)\n* Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources (BZ#2180704)\n* [WebUI] fence levels prevent loading of cluster status (BZ#2183180)",
  "id": "ALSA-2023:2652",
  "modified": "2023-05-11T21:30:41Z",
  "published": "2023-05-09T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:2652"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-2319"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-27530"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-27539"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2176477"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2179649"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2190092"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/9/ALSA-2023-2652.html"
    }
  ],
  "related": [
    "CVE-2023-28154",
    "CVE-2023-2319",
    "CVE-2023-27530",
    "CVE-2023-27539"
  ],
  "summary": "Important: pcs security and bug fix update"
}

alsa-2023:3082

Vulnerability from osv_almalinux

Published

2023-05-16 00:00

Modified

2023-05-19 22:00

Summary

Moderate: pcs security and bug fix update

Details

The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.

Security Fix(es):

rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)
rubygem-rack: denial of service in header parsing (CVE-2023-27539)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Bug Fix(es):

Command 'pcs config checkpoint diff' does not show configuration differences between checkpoints (BZ#2180700)
Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources (BZ#2180706)

References

URL

Type

	https://access.redhat.com/errata/RHSA-2023:3082	ADVISORY
	https://access.redhat.com/security/cve/CVE-2023-27530	REPORT
	https://access.redhat.com/security/cve/CVE-2023-27539	REPORT
	https://bugzilla.redhat.com/2176477	REPORT
	https://bugzilla.redhat.com/2179649	REPORT
	https://errata.almalinux.org/8/ALSA-2023-3082.html	ADVISORY

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pcs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.15-4.el8_8.1.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "pcs-snmp"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.15-4.el8_8.1.alma"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "The pcs packages provide a command-line configuration system for the Pacemaker and Corosync utilities.\n\nSecurity Fix(es):\n\n* rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)\n* rubygem-rack: denial of service in header parsing (CVE-2023-27539)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Command \u0027pcs config checkpoint diff\u0027 does not show configuration differences between checkpoints (BZ#2180700)\n* Need a way to add a scsi fencing device to a cluster without requiring a restart of all cluster resources (BZ#2180706)",
  "id": "ALSA-2023:3082",
  "modified": "2023-05-19T22:00:29Z",
  "published": "2023-05-16T00:00:00Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2023:3082"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-27530"
    },
    {
      "type": "REPORT",
      "url": "https://access.redhat.com/security/cve/CVE-2023-27539"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2176477"
    },
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/2179649"
    },
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2023-3082.html"
    }
  ],
  "related": [
    "CVE-2023-27530",
    "CVE-2023-27539"
  ],
  "summary": "Moderate: pcs security and bug fix update"
}

BDU:2024-02582

Vulnerability from fstec - Published: 15.03.2023

Title

Уязвимость модульного интерфейса между веб-серверами и веб-приложениями Rack, связанная с неэффективной сложностью регулярных выражений, позволяющая нарушителю вызвать отказ в обслуживании

Description

Уязвимость модульного интерфейса между веб-серверами и веб-приложениями Rack связана с обработкой входных данных, что может занять неожиданное количество времени. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, вызвать отказ в обслуживании

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Vendor

ООО «Ред Софт», ООО «РусБИТех-Астра», АО "НППКТ", Leah Neukirchen

Software Name

РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), Astra Linux Common Edition (запись в едином реестре российских программ №4433), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Rack

Software Version

7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), 1.6 «Смоленск» (Astra Linux Common Edition), до 2.8 (ОСОН ОСнова Оnyx), до 2.0.6-3 (Rack), от 2.2.0 до 2.2.6.4 (Rack), от 3.0.6 до 3.0.6.1 (Rack)

Possible Mitigations

Для rack: https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для ОСОН ОСнова Оnyx: Обновление программного обеспечения ruby-rack до версии 2.0.6-3+deb10u3 Для ОС Astra Linux Special Edition 1.7: обновить пакет ruby-rack до 2.0.6-3+deb10u3 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-0426SE17 Для ОС Astra Linux: обновить пакет ruby-rack до 1.6.4-4+deb9u7 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16

Reference

https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466 https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff https://redos.red-soft.ru/support/secure/ https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.8/ https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16

CWE

CWE-1333

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Leah Neukirchen",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Common Edition), \u0434\u043e 2.8 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 2.0.6-3 (Rack), \u043e\u0442 2.2.0 \u0434\u043e 2.2.6.4 (Rack), \u043e\u0442 3.0.6 \u0434\u043e 3.0.6.1 (Rack)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0414\u043b\u044f rack:\nhttps://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c\nhttps://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f ruby-rack \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.0.6-3+deb10u3\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 ruby-rack \u0434\u043e 2.0.6-3+deb10u3 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2023-0426SE17\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 ruby-rack \u0434\u043e 1.6.4-4+deb9u7 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "15.03.2023",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2026",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.04.2024",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2024-02582",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2023-27539",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "\u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Rack",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.8  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043c\u0435\u0436\u0434\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438 \u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 Rack, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e\u0439 \u0441\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c\u044e \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u044b\u0445 \u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u0439, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u0420\u0435\u0433\u0443\u043b\u044f\u0440\u043d\u044b\u0435 \u0432\u044b\u0440\u0430\u0436\u0435\u043d\u0438\u044f \u0441 \u043d\u0435\u044d\u0444\u0444\u0435\u043a\u0442\u0438\u0432\u043d\u043e\u0439 \u0432\u044b\u0447\u0438\u0441\u043b\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0441\u043b\u043e\u0436\u043d\u043e\u0441\u0442\u044c\u044e (CWE-1333)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043c\u0435\u0436\u0434\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438 \u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 Rack \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u043e\u0439 \u0432\u0445\u043e\u0434\u043d\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445, \u0447\u0442\u043e \u043c\u043e\u0436\u0435\u0442 \u0437\u0430\u043d\u044f\u0442\u044c \u043d\u0435\u043e\u0436\u0438\u0434\u0430\u043d\u043d\u043e\u0435 \u043a\u043e\u043b\u0438\u0447\u0435\u0441\u0442\u0432\u043e \u0432\u0440\u0435\u043c\u0435\u043d\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u0437\u0432\u0430\u0442\u044c \u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0418\u0441\u0447\u0435\u0440\u043f\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u043e\u0432",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466\nhttps://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c\nhttps://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff\nhttps://redos.red-soft.ru/support/secure/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.8/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-1333",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 5,3)"
}

FKIE_CVE-2023-27539

Vulnerability from fkie_nvd - Published: 2025-01-09 01:15 - Updated: 2025-10-10 16:31

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

There is a denial of service vulnerability in the header parsing component of Rack.

References

URL	Tags
support@hackerone.com	https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466	Vendor Advisory
support@hackerone.com	https://github.com/advisories/GHSA-c6qg-cjj8-47qp	Patch, Third Party Advisory
support@hackerone.com	https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c	Patch
support@hackerone.com	https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff	Patch
support@hackerone.com	https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html	Mailing List, Third Party Advisory
support@hackerone.com	https://security.netapp.com/advisory/ntap-20231208-0016/	Third Party Advisory
support@hackerone.com	https://www.debian.org/security/2023/dsa-5530	Mailing List, Third Party Advisory

Impacted products

Vendor	Product	Version
rack	rack	*
rack	rack	*
debian	debian_linux	10.0
debian	debian_linux	11.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "C8C60AD6-206D-4111-91A4-99359E29BFE0",
              "versionEndExcluding": "2.2.6.4",
              "versionStartIncluding": "2.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "947A74FA-86B2-47DA-8477-ADA81EC19966",
              "versionEndExcluding": "3.0.6.1",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a denial of service vulnerability in the header parsing component of Rack."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de denegaci\u00f3n de servicio en header parsing component de Rack."
    }
  ],
  "id": "CVE-2023-27539",
  "lastModified": "2025-10-10T16:31:34.173",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-01-09T01:15:07.483",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20231208-0016/"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5530"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-C6QG-CJJ8-47QP

Vulnerability from github – Published: 2023-03-15 21:36 – Updated: 2025-01-09 15:36

Summary

Possible Denial of Service Vulnerability in Rack's header parsing

Details

There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1

Impact

Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

Workarounds

Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-27539"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-03-15T21:36:02Z",
    "nvd_published_at": "2025-01-09T01:15:07Z",
    "severity": "LOW"
  },
  "details": "There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.\n\nVersions Affected: \u003e= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1\n\n# Impact\nCarefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.\n\n# Workarounds\nSetting Regexp.timeout in Ruby 3.2 is a possible workaround.\n",
  "id": "GHSA-c6qg-cjj8-47qp",
  "modified": "2025-01-09T15:36:58Z",
  "published": "2023-03-15T21:36:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27539"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231208-0016"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Possible Denial of Service Vulnerability in Rack\u0027s header parsing"
}

GSD-2023-27539

Vulnerability from gsd - Updated: 2023-03-13 00:00

Details

There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539. Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1 # Impact Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. # Workarounds Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

Aliases

CVE-2023-27539

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2023-27539",
    "id": "GSD-2023-27539"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "rack",
            "purl": "pkg:gem/rack"
          }
        }
      ],
      "aliases": [
        "CVE-2023-27539",
        "GHSA-c6qg-cjj8-47qp"
      ],
      "details": "There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.\n\nVersions Affected: \u003e= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1\n\n# Impact\nCarefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.\n\n# Workarounds\nSetting Regexp.timeout in Ruby 3.2 is a possible workaround.\n",
      "id": "GSD-2023-27539",
      "modified": "2023-03-13T00:00:00.000Z",
      "published": "2023-03-13T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
        }
      ],
      "schema_version": "1.4.0",
      "summary": "Possible Denial of Service Vulnerability in Rack\u2019s header parsing"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2023-27539",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2023-27539",
      "date": "2023-03-13",
      "description": "There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.\n\nVersions Affected: \u003e= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1\n\n# Impact\nCarefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.\n\n# Workarounds\nSetting Regexp.timeout in Ruby 3.2 is a possible workaround.\n",
      "gem": "rack",
      "ghsa": "c6qg-cjj8-47qp",
      "patched_versions": [
        "~\u003e 2.0, \u003e= 2.2.6.4",
        "\u003e= 3.0.6.1"
      ],
      "title": "Possible Denial of Service Vulnerability in Rack\u2019s header parsing",
      "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=2.0.0 \u003c2.2.6.4||\u003e=3.0.0 \u003c3.0.6.1",
          "affected_versions": "All versions starting from 2.0.0 before 2.2.6.4, all versions starting from 3.0.0 before 3.0.6.1",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2023-03-15",
          "description": "There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.",
          "fixed_versions": [
            "2.2.6.4",
            "3.0.6.1"
          ],
          "identifier": "GMS-2023-769",
          "identifiers": [
            "GHSA-c6qg-cjj8-47qp",
            "GMS-2023-769",
            "CVE-2023-27539"
          ],
          "not_impacted": "All versions before 2.0.0, all versions starting from 2.2.6.4 before 3.0.0, all versions starting from 3.0.6.1",
          "package_slug": "gem/rack",
          "pubdate": "2023-03-15",
          "solution": "Upgrade to versions 2.2.6.4, 3.0.6.1 or above.",
          "title": "Possible Denial of Service Vulnerability in Rack\u2019s header parsing",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2023-27539",
            "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml",
            "https://github.com/advisories/GHSA-c6qg-cjj8-47qp"
          ],
          "uuid": "3a275b96-84c7-4c7c-8017-b7fd82af8c53"
        }
      ]
    }
  }
}

OPENSUSE-SU-2024:12789-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12789

CVE-2023-27539

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2023-27539/	self
https://www.suse.com/security/cve/CVE-2023-27539	external
https://bugzilla.suse.com/1209503	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12789",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12789-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-27539 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-27539/"
      }
    ],
    "title": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12789-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
                "product": {
                  "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
                  "product_id": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
                "product": {
                  "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
                  "product_id": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
                "product": {
                  "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
                  "product_id": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
                "product": {
                  "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
                  "product_id": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
                "product": {
                  "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
                  "product_id": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
                "product": {
                  "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
                  "product_id": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
                "product": {
                  "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
                  "product_id": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
                "product": {
                  "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
                  "product_id": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64"
        },
        "product_reference": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le"
        },
        "product_reference": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x"
        },
        "product_reference": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
        },
        "product_reference": "ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64"
        },
        "product_reference": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le"
        },
        "product_reference": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x"
        },
        "product_reference": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
        },
        "product_reference": "ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-27539",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-27539"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a denial of service vulnerability in the header parsing component of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-27539",
          "url": "https://www.suse.com/security/cve/CVE-2023-27539"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209503 for CVE-2023-27539",
          "url": "https://bugzilla.suse.com/1209503"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-2.2-2.2.6.4-1.1.x86_64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-2.2-2.2.6.4-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-27539"
    }
  ]
}

OPENSUSE-SU-2024:12805-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.1-rubygem-rack-3.0.7-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.1-rubygem-rack-3.0.7-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.1-rubygem-rack-3.0.7-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-12805

CVE-2023-27539

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 8 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

5 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2023-27539/	self
https://www.suse.com/security/cve/CVE-2023-27539	external
https://bugzilla.suse.com/1209503	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.1-rubygem-rack-3.0.7-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.1-rubygem-rack-3.0.7-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-12805",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_12805-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-27539 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-27539/"
      }
    ],
    "title": "ruby3.1-rubygem-rack-3.0.7-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:12805-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-3.0.7-1.1.aarch64",
                "product": {
                  "name": "ruby3.1-rubygem-rack-3.0.7-1.1.aarch64",
                  "product_id": "ruby3.1-rubygem-rack-3.0.7-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-3.0.7-1.1.aarch64",
                "product": {
                  "name": "ruby3.2-rubygem-rack-3.0.7-1.1.aarch64",
                  "product_id": "ruby3.2-rubygem-rack-3.0.7-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le",
                "product": {
                  "name": "ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le",
                  "product_id": "ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le",
                "product": {
                  "name": "ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le",
                  "product_id": "ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-3.0.7-1.1.s390x",
                "product": {
                  "name": "ruby3.1-rubygem-rack-3.0.7-1.1.s390x",
                  "product_id": "ruby3.1-rubygem-rack-3.0.7-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-3.0.7-1.1.s390x",
                "product": {
                  "name": "ruby3.2-rubygem-rack-3.0.7-1.1.s390x",
                  "product_id": "ruby3.2-rubygem-rack-3.0.7-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.1-rubygem-rack-3.0.7-1.1.x86_64",
                "product": {
                  "name": "ruby3.1-rubygem-rack-3.0.7-1.1.x86_64",
                  "product_id": "ruby3.1-rubygem-rack-3.0.7-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby3.2-rubygem-rack-3.0.7-1.1.x86_64",
                "product": {
                  "name": "ruby3.2-rubygem-rack-3.0.7-1.1.x86_64",
                  "product_id": "ruby3.2-rubygem-rack-3.0.7-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-3.0.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.aarch64"
        },
        "product_reference": "ruby3.1-rubygem-rack-3.0.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le"
        },
        "product_reference": "ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-3.0.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.s390x"
        },
        "product_reference": "ruby3.1-rubygem-rack-3.0.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.1-rubygem-rack-3.0.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.x86_64"
        },
        "product_reference": "ruby3.1-rubygem-rack-3.0.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-3.0.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.aarch64"
        },
        "product_reference": "ruby3.2-rubygem-rack-3.0.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le"
        },
        "product_reference": "ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-3.0.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.s390x"
        },
        "product_reference": "ruby3.2-rubygem-rack-3.0.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.2-rubygem-rack-3.0.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.x86_64"
        },
        "product_reference": "ruby3.2-rubygem-rack-3.0.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-27539",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-27539"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a denial of service vulnerability in the header parsing component of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.x86_64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-27539",
          "url": "https://www.suse.com/security/cve/CVE-2023-27539"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209503 for CVE-2023-27539",
          "url": "https://bugzilla.suse.com/1209503"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.1-rubygem-rack-3.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.2-rubygem-rack-3.0.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-27539"
    }
  ]
}

OPENSUSE-SU-2024:13726-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.3-rubygem-rack-3.0.9.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.3-rubygem-rack-3.0.9.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-rack-3.0.9.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13726

CVE-2013-0262

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2013-0263

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2015-3225

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2018-16471

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2019-16782

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2020-8184

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-30122

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-30123

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2022-44570

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-44571

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-44572

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2023-27530

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2023-27539

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-25126

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-26141

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-26146

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

58 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2013-0262/	self
https://www.suse.com/security/cve/CVE-2013-0263/	self
https://www.suse.com/security/cve/CVE-2015-3225/	self
https://www.suse.com/security/cve/CVE-2018-16471/	self
https://www.suse.com/security/cve/CVE-2019-16782/	self
https://www.suse.com/security/cve/CVE-2020-8184/	self
https://www.suse.com/security/cve/CVE-2022-30122/	self
https://www.suse.com/security/cve/CVE-2022-30123/	self
https://www.suse.com/security/cve/CVE-2022-44570/	self
https://www.suse.com/security/cve/CVE-2022-44571/	self
https://www.suse.com/security/cve/CVE-2022-44572/	self
https://www.suse.com/security/cve/CVE-2023-27530/	self
https://www.suse.com/security/cve/CVE-2023-27539/	self
https://www.suse.com/security/cve/CVE-2024-25126/	self
https://www.suse.com/security/cve/CVE-2024-26141/	self
https://www.suse.com/security/cve/CVE-2024-26146/	self
https://www.suse.com/security/cve/CVE-2013-0262	external
https://bugzilla.suse.com/802795	external
https://www.suse.com/security/cve/CVE-2013-0263	external
https://bugzilla.suse.com/802794	external
https://bugzilla.suse.com/809839	external
https://www.suse.com/security/cve/CVE-2015-3225	external
https://bugzilla.suse.com/934797	external
https://www.suse.com/security/cve/CVE-2018-16471	external
https://bugzilla.suse.com/1114828	external
https://bugzilla.suse.com/1116600	external
https://bugzilla.suse.com/1122178	external
https://www.suse.com/security/cve/CVE-2019-16782	external
https://bugzilla.suse.com/1159548	external
https://bugzilla.suse.com/1183174	external
https://www.suse.com/security/cve/CVE-2020-8184	external
https://bugzilla.suse.com/1173351	external
https://bugzilla.suse.com/1177352	external
https://bugzilla.suse.com/1193081	external
https://www.suse.com/security/cve/CVE-2022-30122	external
https://bugzilla.suse.com/1200748	external
https://bugzilla.suse.com/1201588	external
https://www.suse.com/security/cve/CVE-2022-30123	external
https://bugzilla.suse.com/1200750	external
https://www.suse.com/security/cve/CVE-2022-44570	external
https://bugzilla.suse.com/1207597	external
https://www.suse.com/security/cve/CVE-2022-44571	external
https://bugzilla.suse.com/1207599	external
https://www.suse.com/security/cve/CVE-2022-44572	external
https://bugzilla.suse.com/1207596	external
https://www.suse.com/security/cve/CVE-2023-27530	external
https://bugzilla.suse.com/1209095	external
https://www.suse.com/security/cve/CVE-2023-27539	external
https://bugzilla.suse.com/1209503	external
https://www.suse.com/security/cve/CVE-2024-25126	external
https://bugzilla.suse.com/1220239	external
https://www.suse.com/security/cve/CVE-2024-26141	external
https://bugzilla.suse.com/1220242	external
https://www.suse.com/security/cve/CVE-2024-26146	external
https://bugzilla.suse.com/1220248	external
https://bugzilla.suse.com/1227310	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-rack-3.0.9.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-rack-3.0.9.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13726",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13726-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-0262 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-0262/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-0263 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-0263/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-3225 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-3225/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-16471 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-16471/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16782 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16782/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8184 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8184/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-30122 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-30122/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-30123 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-30123/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-44570 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-44570/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-44571 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-44571/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-44572 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-44572/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-27530 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-27530/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-27539 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-27539/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-25126 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-25126/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26141 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26141/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26146 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26146/"
      }
    ],
    "title": "ruby3.3-rubygem-rack-3.0.9.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13726-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-0262",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-0262"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-0262",
          "url": "https://www.suse.com/security/cve/CVE-2013-0262"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 802795 for CVE-2013-0262",
          "url": "https://bugzilla.suse.com/802795"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-0262"
    },
    {
      "cve": "CVE-2013-0263",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-0263"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-0263",
          "url": "https://www.suse.com/security/cve/CVE-2013-0263"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 802794 for CVE-2013-0263",
          "url": "https://bugzilla.suse.com/802794"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 809839 for CVE-2013-0263",
          "url": "https://bugzilla.suse.com/809839"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-0263"
    },
    {
      "cve": "CVE-2015-3225",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-3225"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-3225",
          "url": "https://www.suse.com/security/cve/CVE-2015-3225"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 934797 for CVE-2015-3225",
          "url": "https://bugzilla.suse.com/934797"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-3225"
    },
    {
      "cve": "CVE-2018-16471",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-16471"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to \u0027http\u0027 or \u0027https\u0027 and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-16471",
          "url": "https://www.suse.com/security/cve/CVE-2018-16471"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1114828 for CVE-2018-16471",
          "url": "https://bugzilla.suse.com/1114828"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1116600 for CVE-2018-16471",
          "url": "https://bugzilla.suse.com/1116600"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1122178 for CVE-2018-16471",
          "url": "https://bugzilla.suse.com/1122178"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-16471"
    },
    {
      "cve": "CVE-2019-16782",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16782"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There\u0027s a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16782",
          "url": "https://www.suse.com/security/cve/CVE-2019-16782"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1159548 for CVE-2019-16782",
          "url": "https://bugzilla.suse.com/1159548"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1183174 for CVE-2019-16782",
          "url": "https://bugzilla.suse.com/1183174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-16782"
    },
    {
      "cve": "CVE-2020-8184",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8184"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A reliance on cookies without validation/integrity check security vulnerability exists in rack \u003c 2.2.3, rack \u003c 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8184",
          "url": "https://www.suse.com/security/cve/CVE-2020-8184"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173351 for CVE-2020-8184",
          "url": "https://bugzilla.suse.com/1173351"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1177352 for CVE-2020-8184",
          "url": "https://bugzilla.suse.com/1177352"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193081 for CVE-2020-8184",
          "url": "https://bugzilla.suse.com/1193081"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-8184"
    },
    {
      "cve": "CVE-2022-30122",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-30122"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A possible denial of service vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 in the multipart parsing component of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-30122",
          "url": "https://www.suse.com/security/cve/CVE-2022-30122"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200748 for CVE-2022-30122",
          "url": "https://bugzilla.suse.com/1200748"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1201588 for CVE-2022-30122",
          "url": "https://bugzilla.suse.com/1201588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-30122"
    },
    {
      "cve": "CVE-2022-30123",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-30123"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A sequence injection vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-30123",
          "url": "https://www.suse.com/security/cve/CVE-2022-30123"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200750 for CVE-2022-30123",
          "url": "https://bugzilla.suse.com/1200750"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2022-30123"
    },
    {
      "cve": "CVE-2022-44570",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-44570"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A denial of service vulnerability in the Range header parsing component of Rack \u003e= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-44570",
          "url": "https://www.suse.com/security/cve/CVE-2022-44570"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207597 for CVE-2022-44570",
          "url": "https://bugzilla.suse.com/1207597"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-44570"
    },
    {
      "cve": "CVE-2022-44571",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-44571"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-44571",
          "url": "https://www.suse.com/security/cve/CVE-2022-44571"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207599 for CVE-2022-44571",
          "url": "https://bugzilla.suse.com/1207599"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-44571"
    },
    {
      "cve": "CVE-2022-44572",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-44572"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-44572",
          "url": "https://www.suse.com/security/cve/CVE-2022-44572"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207596 for CVE-2022-44572",
          "url": "https://bugzilla.suse.com/1207596"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-44572"
    },
    {
      "cve": "CVE-2023-27530",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-27530"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A DoS vulnerability exists in Rack \u003cv3.0.4.2, \u003cv2.2.6.3, \u003cv2.1.4.3 and \u003cv2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-27530",
          "url": "https://www.suse.com/security/cve/CVE-2023-27530"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209095 for CVE-2023-27530",
          "url": "https://bugzilla.suse.com/1209095"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-27530"
    },
    {
      "cve": "CVE-2023-27539",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-27539"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a denial of service vulnerability in the header parsing component of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-27539",
          "url": "https://www.suse.com/security/cve/CVE-2023-27539"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209503 for CVE-2023-27539",
          "url": "https://bugzilla.suse.com/1209503"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-27539"
    },
    {
      "cve": "CVE-2024-25126",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-25126"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack\u0027s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-25126",
          "url": "https://www.suse.com/security/cve/CVE-2024-25126"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220239 for CVE-2024-25126",
          "url": "https://bugzilla.suse.com/1220239"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-25126"
    },
    {
      "cve": "CVE-2024-26141",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26141"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26141",
          "url": "https://www.suse.com/security/cve/CVE-2024-26141"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220242 for CVE-2024-26141",
          "url": "https://bugzilla.suse.com/1220242"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26141"
    },
    {
      "cve": "CVE-2024-26146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26146",
          "url": "https://www.suse.com/security/cve/CVE-2024-26146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220248 for CVE-2024-26146",
          "url": "https://bugzilla.suse.com/1220248"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227310 for CVE-2024-26146",
          "url": "https://bugzilla.suse.com/1227310"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-3.0.9.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-26146"
    }
  ]
}

OPENSUSE-SU-2024:13727-1

Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00

Summary

ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 on GA media

Severity

Moderate

Notes

Title of the patch: ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 on GA media

Description of the patch: These are all security issues fixed in the ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames: openSUSE-Tumbleweed-2024-13727

CVE-2013-0262

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2013-0263

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2015-3225

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2018-16471

6.1 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2019-16782

5.6 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2020-8184

6.8 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-30122

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-30123

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact critical

CVE-2022-44570

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-44571

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2022-44572

5.9 (Medium)


                        
                          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2023-27530

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2023-27539

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

CVE-2024-25126

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-26141

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact important

CVE-2024-26146

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 4 products

Product	Version	Remediation
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

58 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/o…	self
https://www.suse.com/security/cve/CVE-2013-0262/	self
https://www.suse.com/security/cve/CVE-2013-0263/	self
https://www.suse.com/security/cve/CVE-2015-3225/	self
https://www.suse.com/security/cve/CVE-2018-16471/	self
https://www.suse.com/security/cve/CVE-2019-16782/	self
https://www.suse.com/security/cve/CVE-2020-8184/	self
https://www.suse.com/security/cve/CVE-2022-30122/	self
https://www.suse.com/security/cve/CVE-2022-30123/	self
https://www.suse.com/security/cve/CVE-2022-44570/	self
https://www.suse.com/security/cve/CVE-2022-44571/	self
https://www.suse.com/security/cve/CVE-2022-44572/	self
https://www.suse.com/security/cve/CVE-2023-27530/	self
https://www.suse.com/security/cve/CVE-2023-27539/	self
https://www.suse.com/security/cve/CVE-2024-25126/	self
https://www.suse.com/security/cve/CVE-2024-26141/	self
https://www.suse.com/security/cve/CVE-2024-26146/	self
https://www.suse.com/security/cve/CVE-2013-0262	external
https://bugzilla.suse.com/802795	external
https://www.suse.com/security/cve/CVE-2013-0263	external
https://bugzilla.suse.com/802794	external
https://bugzilla.suse.com/809839	external
https://www.suse.com/security/cve/CVE-2015-3225	external
https://bugzilla.suse.com/934797	external
https://www.suse.com/security/cve/CVE-2018-16471	external
https://bugzilla.suse.com/1114828	external
https://bugzilla.suse.com/1116600	external
https://bugzilla.suse.com/1122178	external
https://www.suse.com/security/cve/CVE-2019-16782	external
https://bugzilla.suse.com/1159548	external
https://bugzilla.suse.com/1183174	external
https://www.suse.com/security/cve/CVE-2020-8184	external
https://bugzilla.suse.com/1173351	external
https://bugzilla.suse.com/1177352	external
https://bugzilla.suse.com/1193081	external
https://www.suse.com/security/cve/CVE-2022-30122	external
https://bugzilla.suse.com/1200748	external
https://bugzilla.suse.com/1201588	external
https://www.suse.com/security/cve/CVE-2022-30123	external
https://bugzilla.suse.com/1200750	external
https://www.suse.com/security/cve/CVE-2022-44570	external
https://bugzilla.suse.com/1207597	external
https://www.suse.com/security/cve/CVE-2022-44571	external
https://bugzilla.suse.com/1207599	external
https://www.suse.com/security/cve/CVE-2022-44572	external
https://bugzilla.suse.com/1207596	external
https://www.suse.com/security/cve/CVE-2023-27530	external
https://bugzilla.suse.com/1209095	external
https://www.suse.com/security/cve/CVE-2023-27539	external
https://bugzilla.suse.com/1209503	external
https://www.suse.com/security/cve/CVE-2024-25126	external
https://bugzilla.suse.com/1220239	external
https://www.suse.com/security/cve/CVE-2024-26141	external
https://bugzilla.suse.com/1220242	external
https://www.suse.com/security/cve/CVE-2024-26146	external
https://bugzilla.suse.com/1220248	external
https://bugzilla.suse.com/1227310	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13727",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13727-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-0262 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-0262/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2013-0263 page",
        "url": "https://www.suse.com/security/cve/CVE-2013-0263/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2015-3225 page",
        "url": "https://www.suse.com/security/cve/CVE-2015-3225/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-16471 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-16471/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2019-16782 page",
        "url": "https://www.suse.com/security/cve/CVE-2019-16782/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-8184 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-8184/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-30122 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-30122/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-30123 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-30123/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-44570 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-44570/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-44571 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-44571/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2022-44572 page",
        "url": "https://www.suse.com/security/cve/CVE-2022-44572/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-27530 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-27530/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-27539 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-27539/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-25126 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-25126/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26141 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26141/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26146 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26146/"
      }
    ],
    "title": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13727-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2013-0262",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-0262"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka \"symlink path traversals.\"",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-0262",
          "url": "https://www.suse.com/security/cve/CVE-2013-0262"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 802795 for CVE-2013-0262",
          "url": "https://bugzilla.suse.com/802795"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-0262"
    },
    {
      "cve": "CVE-2013-0263",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2013-0263"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2013-0263",
          "url": "https://www.suse.com/security/cve/CVE-2013-0263"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 802794 for CVE-2013-0263",
          "url": "https://bugzilla.suse.com/802794"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 809839 for CVE-2013-0263",
          "url": "https://bugzilla.suse.com/809839"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2013-0263"
    },
    {
      "cve": "CVE-2015-3225",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2015-3225"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2015-3225",
          "url": "https://www.suse.com/security/cve/CVE-2015-3225"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 934797 for CVE-2015-3225",
          "url": "https://bugzilla.suse.com/934797"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2015-3225"
    },
    {
      "cve": "CVE-2018-16471",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-16471"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to \u0027http\u0027 or \u0027https\u0027 and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-16471",
          "url": "https://www.suse.com/security/cve/CVE-2018-16471"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1114828 for CVE-2018-16471",
          "url": "https://bugzilla.suse.com/1114828"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1116600 for CVE-2018-16471",
          "url": "https://bugzilla.suse.com/1116600"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1122178 for CVE-2018-16471",
          "url": "https://bugzilla.suse.com/1122178"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2018-16471"
    },
    {
      "cve": "CVE-2019-16782",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2019-16782"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There\u0027s a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2019-16782",
          "url": "https://www.suse.com/security/cve/CVE-2019-16782"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1159548 for CVE-2019-16782",
          "url": "https://bugzilla.suse.com/1159548"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1183174 for CVE-2019-16782",
          "url": "https://bugzilla.suse.com/1183174"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.6,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2019-16782"
    },
    {
      "cve": "CVE-2020-8184",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-8184"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A reliance on cookies without validation/integrity check security vulnerability exists in rack \u003c 2.2.3, rack \u003c 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-8184",
          "url": "https://www.suse.com/security/cve/CVE-2020-8184"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1173351 for CVE-2020-8184",
          "url": "https://bugzilla.suse.com/1173351"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1177352 for CVE-2020-8184",
          "url": "https://bugzilla.suse.com/1177352"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1193081 for CVE-2020-8184",
          "url": "https://bugzilla.suse.com/1193081"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-8184"
    },
    {
      "cve": "CVE-2022-30122",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-30122"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A possible denial of service vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 in the multipart parsing component of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-30122",
          "url": "https://www.suse.com/security/cve/CVE-2022-30122"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200748 for CVE-2022-30122",
          "url": "https://bugzilla.suse.com/1200748"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1201588 for CVE-2022-30122",
          "url": "https://bugzilla.suse.com/1201588"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-30122"
    },
    {
      "cve": "CVE-2022-30123",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-30123"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A sequence injection vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-30123",
          "url": "https://www.suse.com/security/cve/CVE-2022-30123"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1200750 for CVE-2022-30123",
          "url": "https://bugzilla.suse.com/1200750"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "critical"
        }
      ],
      "title": "CVE-2022-30123"
    },
    {
      "cve": "CVE-2022-44570",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-44570"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A denial of service vulnerability in the Range header parsing component of Rack \u003e= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-44570",
          "url": "https://www.suse.com/security/cve/CVE-2022-44570"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207597 for CVE-2022-44570",
          "url": "https://bugzilla.suse.com/1207597"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-44570"
    },
    {
      "cve": "CVE-2022-44571",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-44571"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-44571",
          "url": "https://www.suse.com/security/cve/CVE-2022-44571"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207599 for CVE-2022-44571",
          "url": "https://bugzilla.suse.com/1207599"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-44571"
    },
    {
      "cve": "CVE-2022-44572",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2022-44572"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2022-44572",
          "url": "https://www.suse.com/security/cve/CVE-2022-44572"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1207596 for CVE-2022-44572",
          "url": "https://bugzilla.suse.com/1207596"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2022-44572"
    },
    {
      "cve": "CVE-2023-27530",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-27530"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "A DoS vulnerability exists in Rack \u003cv3.0.4.2, \u003cv2.2.6.3, \u003cv2.1.4.3 and \u003cv2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-27530",
          "url": "https://www.suse.com/security/cve/CVE-2023-27530"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209095 for CVE-2023-27530",
          "url": "https://bugzilla.suse.com/1209095"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2023-27530"
    },
    {
      "cve": "CVE-2023-27539",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-27539"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "There is a denial of service vulnerability in the header parsing component of Rack.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-27539",
          "url": "https://www.suse.com/security/cve/CVE-2023-27539"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1209503 for CVE-2023-27539",
          "url": "https://bugzilla.suse.com/1209503"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-27539"
    },
    {
      "cve": "CVE-2024-25126",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-25126"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack\u0027s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-25126",
          "url": "https://www.suse.com/security/cve/CVE-2024-25126"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220239 for CVE-2024-25126",
          "url": "https://bugzilla.suse.com/1220239"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-25126"
    },
    {
      "cve": "CVE-2024-26141",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26141"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26141",
          "url": "https://www.suse.com/security/cve/CVE-2024-26141"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220242 for CVE-2024-26141",
          "url": "https://bugzilla.suse.com/1220242"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-26141"
    },
    {
      "cve": "CVE-2024-26146",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26146"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.\n",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26146",
          "url": "https://www.suse.com/security/cve/CVE-2024-26146"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220248 for CVE-2024-26146",
          "url": "https://bugzilla.suse.com/1220248"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1227310 for CVE-2024-26146",
          "url": "https://bugzilla.suse.com/1227310"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rack-2.2-2.2.8.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-26146"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2023-27539 (GCVE-0-2023-27539)

Vulnerability from osv_almalinux

Vulnerability from osv_almalinux

Impact

Workarounds

Tags

Sightings

Nomenclature