VYPR

rpm package

suse/rubygem-rack&distro=SUSE Linux Enterprise High Availability Extension 15 SP5

pkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5

Vulnerabilities (10)

  • CVE-2025-61919Oct 10, 2025
    affected < 2.2.20-150000.3.34.1fixed 2.2.20-150000.3.34.1

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large

  • CVE-2025-61780Oct 10, 2025
    affected < 2.2.20-150000.3.34.1fixed 2.2.20-150000.3.34.1

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca

  • CVE-2025-46727May 7, 2025
    affected < 2.0.8-150000.3.31.1fixed 2.0.8-150000.3.31.1

    Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers

  • CVE-2025-32441May 7, 2025
    affected < 2.0.8-150000.3.31.1fixed 2.0.8-150000.3.31.1

    Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the

  • CVE-2025-27610Mar 10, 2025
    affected < 2.0.8-150000.3.26.1fixed 2.0.8-150000.3.26.1

    Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu

  • CVE-2025-27111Mar 4, 2025
    affected < 2.0.8-150000.3.26.1fixed 2.0.8-150000.3.26.1

    Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vul

  • CVE-2025-25184Feb 12, 2025
    affected < 2.0.8-150000.3.26.1fixed 2.0.8-150000.3.26.1

    Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting

  • CVE-2024-26141Feb 28, 2024
    affected < 2.0.8-150000.3.21.2fixed 2.0.8-150000.3.21.2

    Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middlewa

  • CVE-2024-25126Feb 28, 2024
    affected < 2.0.8-150000.3.21.2fixed 2.0.8-150000.3.21.2

    Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1

  • CVE-2024-26146Feb 28, 2024
    affected < 2.0.8-150000.3.21.2fixed 2.0.8-150000.3.21.2

    Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack appl