PT-2023-8903 · Rack+6 · Rack+6

Published

2023-01-18

·

Updated

2026-03-13

·

CVE-2022-44572

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Rack versions 2.0.0 through 2.0.9.1 Rack versions 2.1.0 through 2.1.4.1 Rack versions 2.2.0 through 2.2.4.0 Rack versions 3.0.0 through 3.0.0.0
Description A denial of service vulnerability in the multipart parsing component of Rack could allow an attacker to craft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack are impacted.
Recommendations For Rack versions 2.0.0 through 2.0.9.1, update to version 2.0.9.2 or apply the patch 2-0-Forbid-control-characters-in-attributes.patch. For Rack versions 2.1.0 through 2.1.4.1, update to version 2.1.4.2 or apply the patch 2-1-Forbid-control-characters-in-attributes.patch. For Rack versions 2.2.0 through 2.2.4.0, update to version 2.2.4.1 or apply the patch 2-2-Forbid-control-characters-in-attributes.patch. For Rack versions 3.0.0 through 3.0.0.0, update to version 3.0.0.1 or apply the patch 3-0-Forbid-control-characters-in-attributes.patch.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-1333CWE-400

Related Identifiers

BDU:2024-02581
CVE-2022-44572
DLA-3298-1
DSA-5530-1
GHSA-RQV2-275X-2JQ5
MGASA-2023-0106
OESA-2024-1820
OESA-2024-1821
OESA-2024-1822
OESA-2024-1823
OPENSUSE-SU-2023_0276-1
OPENSUSE-SU-2024:12633-1
OPENSUSE-SU-2024:12634-1
OPENSUSE-SU-2024:12974-1
OPENSUSE-SU-2024:13167-1
OPENSUSE-SU-2024:13726-1
OPENSUSE-SU-2024:13727-1
OPENSUSE-SU-2025:14811-1
OPENSUSE-SU-2025:14875-1
OPENSUSE-SU-2026:10286-1
OPENSUSE-SU-2026:10358-1
RHSA-2023:6818
RLSA-2023:6818
SUSE-SU-2023:0276-1
USN-5910-1
USN-7036-1

Affected Products

Astra Linux
Linuxmint
Rack
Red Os
Rocky Linux
Suse
Ubuntu