CVE-2022-44572 - OpenCVE

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Rack Project	Rack

Configuration 1 [-]

OR	cpe:2.3:a:rack_project:rack::::::ruby::*
	cpe:2.3:a:rack_project:rack::::::ruby::*
	cpe:2.3:a:rack_project:rack::::::ruby::*

References

Link	Resource
https://hackerone.com/reports/1639882	Permissions Required Third Party Advisory
https://security.netapp.com/advisory/ntap-20231208-0014/
https://www.debian.org/security/2023/dsa-5530

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2023-02-09T00:00:00

Updated: 2023-12-08T22:06:24.574796

Reserved: 2022-11-01T00:00:00

Link: CVE-2022-44572

JSON object: View

NVD Information

Status : Modified

Published: 2023-02-09T20:15:11.220

Modified: 2023-12-08T22:15:07.523

Link: CVE-2022-44572

JSON object: View

Redhat Information

No data.

CWE

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "C3DCA512-83FE-4A97-A7F7-FC664C52AE2A", "versionEndExcluding": "2.0.9.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "C1B66022-6E77-4CFA-B55F-5BC1182A23E2", "versionEndExcluding": "2.1.4.2", "versionStartIncluding": "2.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "7ADE4A55-881C-4242-B146-E2E0F9D03DB9", "versionEndExcluding": "2.2.4.1", "versionStartIncluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted."}], "id": "CVE-2022-44572", "lastModified": "2023-12-08T22:15:07.523", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-02-09T20:15:11.220", "references": [{"source": "support@hackerone.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/1639882"}, {"source": "support@hackerone.com", "url": "https://security.netapp.com/advisory/ntap-20231208-0014/"}, {"source": "support@hackerone.com", "url": "https://www.debian.org/security/2023/dsa-5530"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-400"}], "source": "support@hackerone.com", "type": "Secondary"}]}