VDB

CVE-2022-44571

CVE-2022-44571 PUBLISHED CVSS 7.5 HIGH

Reported by hackerone · Published February 9, 2023

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

Risk Scores

CVSS 3.1
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products

VendorProductVersions
n/ahttps://github.com/rack/rack2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1
n/ahttps://github.com/rack/rack2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1, *, 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1
RubyGemsrack2.0.0, 2.1.0, 2.2.0

Exploit Intelligence

…and 25 more exploits

Timeline

  • CVE Published
  • Feb 10, 2023 EPSS Score
  • Mar 22, 2023 EPSS Score
  • Jun 9, 2023 EPSS Score
  • Jul 27, 2023 PoC Published
  • Aug 28, 2023 EPSS Score
  • Nov 16, 2023 EPSS Score
  • Feb 3, 2024 EPSS Score
  • Apr 23, 2024 EPSS Score
  • Jul 12, 2024 EPSS Score
  • Aug 21, 2024 EPSS Score
  • Nov 8, 2024 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›