RubyGems package
rack
pkg:gem/rack
Vulnerabilities (50)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-16782 | — | < 1.6.12 | 1.6.12 | Dec 18, 2019 | There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually store | ||
| CVE-2018-16471 | — | >= 2.0.0, < 2.0.6 | 2.0.6 | Nov 13, 2018 | There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value coul | ||
| CVE-2018-16470 | — | >= 2.0.4, < 2.0.6 | 2.0.6 | Nov 13, 2018 | There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. | ||
| CVE-2015-3225 | — | >= 1.5.0, < 1.5.4 | 1.5.4 | Jul 26, 2015 | lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. | ||
| CVE-2013-0184 | — | >= 1.1.0, < 1.1.5 | 1.1.5 | Mar 1, 2013 | Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." | ||
| CVE-2013-0183 | — | >= 1.3.0, < 1.3.8 | 1.3.8 | Mar 1, 2013 | multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. | ||
| CVE-2012-6109 | — | < 1.1.4 | 1.1.4 | Mar 1, 2013 | lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. | ||
| CVE-2013-0263 | — | >= 1.5.0, < 1.5.2 | 1.5.2 | Feb 8, 2013 | Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison | ||
| CVE-2013-0262 | — | >= 1.5.0, < 1.5.2 | 1.5.2 | Feb 8, 2013 | rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka | ||
| CVE-2011-5036 | — | < 1.1.3 | 1.1.3 | Dec 30, 2011 | Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted para |
- CVE-2019-16782Dec 18, 2019affected < 1.6.12fixed 1.6.12
There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually store
- CVE-2018-16471Nov 13, 2018affected >= 2.0.0, < 2.0.6fixed 2.0.6
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value coul
- CVE-2018-16470Nov 13, 2018affected >= 2.0.4, < 2.0.6fixed 2.0.6
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
- CVE-2015-3225Jul 26, 2015affected >= 1.5.0, < 1.5.4fixed 1.5.4
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
- CVE-2013-0184Mar 1, 2013affected >= 1.1.0, < 1.1.5fixed 1.1.5
Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings."
- CVE-2013-0183Mar 1, 2013affected >= 1.3.0, < 1.3.8fixed 1.3.8
multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.
- CVE-2012-6109Mar 1, 2013affected < 1.1.4fixed 1.1.4
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
- CVE-2013-0263Feb 8, 2013affected >= 1.5.0, < 1.5.2fixed 1.5.2
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison
- CVE-2013-0262Feb 8, 2013affected >= 1.5.0, < 1.5.2fixed 1.5.2
rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka
- CVE-2011-5036Dec 30, 2011affected < 1.1.3fixed 1.1.3
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted para
Page 3 of 3