Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser
Vulnerability Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
算法复杂性
Vulnerability Title
Rack 安全漏洞
Vulnerability Description
Rack是Rack开源的一个模块化的Ruby web服务器界面。 Rack 3.1.21之前版本和3.2.6之前版本存在安全漏洞,该漏洞源于Rack::Multipart::Parser#handle_mime_head解析带引号的多部分参数时处理不当,可能导致拒绝服务。
CVSS Information
N/A
Vulnerability Type
N/A