GSD-2022-44570
Vulnerability from gsd - Updated: 2023-01-18 00:00Details
There is a possible denial of service vulnerability in the Range header
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2022-44570.
Versions Affected: >= 1.5.0
Not affected: None.
Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1
# Impact
Carefully crafted input can cause the Range header parsing component in Rack
to take an unexpected amount of time, possibly resulting in a denial of
service attack vector. Any applications that deal with Range requests (such
as streaming applications, or applications that serve files) may be impacted.
# Workarounds
There are no feasible workarounds for this issue.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-44570",
"description": "A denial of service vulnerability in the Range header parsing component of Rack \u003e= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.",
"id": "GSD-2022-44570",
"references": [
"https://www.suse.com/security/cve/CVE-2022-44570.html",
"https://ubuntu.com/security/CVE-2022-44570"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack",
"purl": "pkg:gem/rack"
}
}
],
"aliases": [
"CVE-2022-44570",
"GHSA-65f5-mfpf-vfhj"
],
"details": "There is a possible denial of service vulnerability in the Range header\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2022-44570.\n\nVersions Affected: \u003e= 1.5.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause the Range header parsing component in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. Any applications that deal with Range requests (such\nas streaming applications, or applications that serve files) may be impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n",
"id": "GSD-2022-44570",
"modified": "2023-01-18T00:00:00.000Z",
"published": "2023-01-18T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/releases/tag/v3.0.4.1"
}
],
"schema_version": "1.4.0",
"summary": "Denial of service via header parsing in Rack"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2022-44570",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "https://github.com/rack/rack",
"version": {
"version_data": [
{
"version_value": "2.0.9.2, 2.1.4.2, 2.2.4.2, 3.0.0.1"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A denial of service vulnerability in the Range header parsing component of Rack \u003e= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Denial of Service (CWE-400)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125",
"refsource": "MISC",
"url": "https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125"
},
{
"name": "DSA-5530",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2023/dsa-5530"
},
{
"name": "https://security.netapp.com/advisory/ntap-20231208-0010/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20231208-0010/"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2022-44570",
"date": "2023-01-18",
"description": "There is a possible denial of service vulnerability in the Range header\nparsing component of Rack. This vulnerability has been assigned the CVE\nidentifier CVE-2022-44570.\n\nVersions Affected: \u003e= 1.5.0\nNot affected: None.\nFixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1\n\n# Impact\n\nCarefully crafted input can cause the Range header parsing component in Rack\nto take an unexpected amount of time, possibly resulting in a denial of\nservice attack vector. Any applications that deal with Range requests (such\nas streaming applications, or applications that serve files) may be impacted.\n\n# Workarounds\n\nThere are no feasible workarounds for this issue.\n",
"gem": "rack",
"ghsa": "65f5-mfpf-vfhj",
"patched_versions": [
"~\u003e 2.0.9, \u003e= 2.0.9.2",
"~\u003e 2.1.4, \u003e= 2.1.4.2",
"~\u003e 2.2.6, \u003e= 2.2.6.2",
"\u003e= 3.0.4.1"
],
"title": "Denial of service via header parsing in Rack",
"url": "https://github.com/rack/rack/releases/tag/v3.0.4.1"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.5.0 \u003c2.0.9.2||\u003e=2.1.0 \u003c2.1.4.2||\u003e=2.2.0 \u003c2.2.6.1||\u003e=3.0.0 \u003c3.0.4.1",
"affected_versions": "All versions starting from 1.5.0 before 2.0.9.2, all versions starting from 2.1.0 before 2.1.4.2, all versions starting from 2.2.0 before 2.2.6.1, all versions starting from 3.0.0 before 3.0.4.1",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-1333",
"CWE-937"
],
"date": "2023-06-23",
"description": "A denial of service vulnerability in the Range header parsing component of Rack \u003e= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.",
"fixed_versions": [
"2.0.9.2",
"2.1.4.2",
"2.2.6.1",
"3.0.4.1"
],
"identifier": "CVE-2022-44570",
"identifiers": [
"CVE-2022-44570",
"GHSA-65f5-mfpf-vfhj",
"GMS-2023-64"
],
"not_impacted": "All versions before 1.5.0, all versions starting from 2.0.9.2 before 2.1.0, all versions starting from 2.1.4.2 before 2.2.0, all versions starting from 2.2.6.1 before 3.0.0, all versions starting from 3.0.4.1",
"package_slug": "gem/rack",
"pubdate": "2023-02-09",
"solution": "Upgrade to versions 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1 or above.",
"title": "Uncontrolled Resource Consumption",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-44570",
"https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125",
"https://github.com/rack/rack/releases/tag/v3.0.4.1",
"https://github.com/advisories/GHSA-65f5-mfpf-vfhj"
],
"uuid": "2776d6c2-9320-4c14-9b4d-d6d56d4fbff6"
},
{
"affected_range": "\u003c0",
"affected_versions": "All versions starting from 1.5.0 before 2.0.9.2, all versions starting from 2.1.0.0 before 2.1.4.2, all versions starting from 2.2.0.0 before 2.2.6.2, all versions starting from 3.0.0.0 before 3.0.4.1",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2023-01-18",
"description": "There is a possible denial of service vulnerability in the `Range` header parsing component of Rack. Carefully crafted input can cause the `Range` header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with `Range` requests (such as streaming applications, or applications that serve files) may be impacted.",
"fixed_versions": [
"2.0.9.2",
"2.1.4.2",
"2.2.6.2",
"3.0.4.1"
],
"identifier": "GMS-2023-64",
"identifiers": [
"GHSA-65f5-mfpf-vfhj",
"GMS-2023-64",
"CVE-2022-44570"
],
"not_impacted": "All versions before 1.5.0, all versions starting from 2.0.9.2 before 2.1.0.0, all versions starting from 2.1.4.2 before 2.2.0.0, all versions starting from 2.2.6.2 before 3.0.0.0, all versions starting from 3.0.4.1",
"package_slug": "gem/rack",
"pubdate": "2023-01-18",
"solution": "Upgrade to versions 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1 or above.",
"title": "Duplicate of ./gem/rack/CVE-2022-44570.yml",
"urls": [
"https://github.com/rack/rack/releases/tag/v3.0.4.1",
"https://github.com/advisories/GHSA-65f5-mfpf-vfhj"
],
"uuid": "9dbc4db5-c1de-4740-a597-cce01b2ac421"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "2.1.4.2",
"versionStartIncluding": "2.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "3.0.4.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "2.2.6.1",
"versionStartIncluding": "2.2.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "2.0.9.2",
"versionStartIncluding": "1.5.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"ID": "CVE-2022-44570"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A denial of service vulnerability in the Range header parsing component of Rack \u003e= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-1333"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125",
"refsource": "MISC",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125"
},
{
"name": "DSA-5530",
"refsource": "DEBIAN",
"tags": [],
"url": "https://www.debian.org/security/2023/dsa-5530"
},
{
"name": "https://security.netapp.com/advisory/ntap-20231208-0010/",
"refsource": "",
"tags": [],
"url": "https://security.netapp.com/advisory/ntap-20231208-0010/"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2023-12-08T22:15Z",
"publishedDate": "2023-02-09T20:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…