PT-2013-1897 · Rack+1 · Rack+1

Vincent Danen

Published

2013-02-27

Updated

2023-02-13

CVE-2012-6109

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:N/A:P

Name of the Vulnerable Software and Affected Versions Rack versions 1.1.3 and earlier Rack versions 1.2.x through 1.2.5 Rack versions 1.3.x through 1.3.6 Rack versions 1.4.x through 1.4.1

Description The issue is caused by an incorrect regular expression in lib/rack/multipart.rb, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

Recommendations For Rack version 1.1.3 and earlier, update to version 1.1.4 or later. For Rack version 1.2.x through 1.2.5, update to version 1.2.6 or later. For Rack version 1.3.x through 1.3.6, update to version 1.3.7 or later. For Rack version 1.4.x through 1.4.1, update to version 1.4.2 or later.

Exploit

Fix

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

CVE-2012-6109

GHSA-H77X-M5Q8-C29H

SUSE-SU-2013_0355-1

SUSE-SU-2013_0355-2

Affected Products

Rack

Suse

PT-2013-1897 · Rack+1 · Rack+1

CVE-2012-6109

Weakness Enumeration

Related Identifiers

Affected Products

References · 21