rpm package
suse/rubygem-rack&distro=SUSE Linux Enterprise High Availability Extension 15 SP6
pkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61919 | — | < 2.2.20-150000.3.34.1 | 2.2.20-150000.3.34.1 | Oct 10, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large | ||
| CVE-2025-61780 | — | < 2.2.20-150000.3.34.1 | 2.2.20-150000.3.34.1 | Oct 10, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca | ||
| CVE-2025-46727 | — | < 2.0.8-150000.3.31.1 | 2.0.8-150000.3.31.1 | May 7, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers | ||
| CVE-2025-32441 | — | < 2.0.8-150000.3.31.1 | 2.0.8-150000.3.31.1 | May 7, 2025 | Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the | ||
| CVE-2025-27610 | — | < 2.0.8-150000.3.26.1 | 2.0.8-150000.3.26.1 | Mar 10, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu | ||
| CVE-2025-27111 | — | < 2.0.8-150000.3.26.1 | 2.0.8-150000.3.26.1 | Mar 4, 2025 | Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vul | ||
| CVE-2025-25184 | — | < 2.0.8-150000.3.26.1 | 2.0.8-150000.3.26.1 | Feb 12, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting |
- CVE-2025-61919Oct 10, 2025affected < 2.2.20-150000.3.34.1fixed 2.2.20-150000.3.34.1
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large
- CVE-2025-61780Oct 10, 2025affected < 2.2.20-150000.3.34.1fixed 2.2.20-150000.3.34.1
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca
- CVE-2025-46727May 7, 2025affected < 2.0.8-150000.3.31.1fixed 2.0.8-150000.3.31.1
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers
- CVE-2025-32441May 7, 2025affected < 2.0.8-150000.3.31.1fixed 2.0.8-150000.3.31.1
Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the
- CVE-2025-27610Mar 10, 2025affected < 2.0.8-150000.3.26.1fixed 2.0.8-150000.3.26.1
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu
- CVE-2025-27111Mar 4, 2025affected < 2.0.8-150000.3.26.1fixed 2.0.8-150000.3.26.1
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vul
- CVE-2025-25184Feb 12, 2025affected < 2.0.8-150000.3.26.1fixed 2.0.8-150000.3.26.1
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting