Hexsave

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.2.11, 3.0.12, and 3.1.11 **Description** Rack provides an interface for developing web applications in Ruby. The issue occurs when a server intentionally or unintentionally allows a user creation with the username containing CRLF and white space characters, or the server just wants to log every login attempt. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. **Recommendations** - Update to version 2.2.11 or later for Rack version 2.2.x - Update to version 3.0.12 or later for Rack version 3.0.x - Update to version 3.1.11 or later for Rack version 3.1.x As a temporary workaround, consider restricting the use of `Rack::CommonLogger` until a patch is available. Avoid using the `env['REMOTE USER']` variable in the affected API endpoint until the issue is resolved.