CVE-2022-44571

Name of the Vulnerable Software and Affected Versions Rack versions 2.0.0 through 2.0.9.1 Rack versions 2.1.0 through 2.1.4.1 Rack versions 2.2.0 through 2.2.4.0 Rack versions 3.0.0 through 3.0.0.0

Description There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Recommendations For Rack versions 2.0.0 through 2.0.9.1, update to version 2.0.9.2. For Rack versions 2.1.0 through 2.1.4.1, update to version 2.1.4.2. For Rack versions 2.2.0 through 2.2.4.0, update to version 2.2.4.1. For Rack versions 3.0.0 through 3.0.0.0, update to version 3.0.0.1. As a temporary workaround, consider restricting access to the Content-Disposition header parsing component until a patch is available. Apply the provided patches for the respective release series to aid in mitigating the issue.