Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rack ReDoS Vulnerability in HTTP Accept Headers Parsing
Vulnerability Description
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
CWE-1333
Vulnerability Title
Rack 安全漏洞
Vulnerability Description
Rack是模块化的Ruby Web服务器界面。 Rack 3.1.0版本至3.1.5之前版本存在安全漏洞,该漏洞源于存在正则表达式拒绝服务(ReDoS)漏洞,攻击者可以利用此漏洞发送特制的标头,导致服务器花费过多时间处理请求并导致拒绝服务(DoS)。
CVSS Information
N/A
Vulnerability Type
N/A