VDB
CVE-2011-5036
CVE-2011-5036
PUBLISHED
CVSS 5 MEDIUM
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
EPSS 1.28% · 79.9th percentile
Risk Scores
CVSS v2.0
5
EPSS Score
1.28%
79.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| rack_project | rack | 1.2.2, 0, 1.2.0 |
| RubyGems | rack | 1.3.0, 0, 1.2.0 |
| n/a | n/a | * |
| Maven | org.jruby:jruby-parent | 0 |
Timeline
- Dec 29, 2011 CVE Published
- Oct 30, 2013 CVE Updated
- Feb 4, 2022 EPSS Score
- Mar 29, 2022 EPSS Score
- May 20, 2022 EPSS Score
- Jul 12, 2022 EPSS Score
- Sep 3, 2022 EPSS Score
- Dec 17, 2022 EPSS Score
- Feb 8, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 1, 2023 EPSS Score
- May 24, 2023 EPSS Score
References
- http://www.nruns.com/_downloads/advisory28122011.pdf url
- https://gist.github.com/52bbc6b9cc19ce330829 url
- VU#903934 third-party-advisory
- 20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table mailing-list
- DSA-2783 vendor-advisory
- http://www.ocert.org/advisories/ocert-2011-003.html url
- https://nvd.nist.gov/vuln/detail/CVE-2011-5036 advisory
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml url
- https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1 url
- https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html url