Action not permitted
Modal body text goes here.
Modal Title
Modal Body
usn-6689-1
Vulnerability from osv_ubuntu
It was discovered that Rack incorrectly parse some headers. An attacker could possibly use this issue to cause a denial of service. (CVE-2023-27539, CVE-2024-26141, CVE-2024-26146)
{
"affected": [
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.2.4-3ubuntu0.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:23.10",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.2.4-3ubuntu0.1?arch=source\u0026distro=mantic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.4-3ubuntu0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.4-3"
]
}
],
"aliases": [],
"details": "It was discovered that Rack incorrectly parse some headers.\nAn attacker could possibly use this issue to cause a denial of service.\n(CVE-2023-27539, CVE-2024-26141, CVE-2024-26146)\n",
"id": "USN-6689-1",
"modified": "2024-03-12T10:22:55.302280Z",
"published": "2024-03-12T10:22:55.302280Z",
"references": [
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6689-1"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-27539"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-26141"
},
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-26146"
}
],
"related": [
"CVE-2023-27539",
"UBUNTU-CVE-2023-27539",
"CVE-2024-26141",
"UBUNTU-CVE-2024-26141",
"CVE-2024-26146",
"UBUNTU-CVE-2024-26146"
],
"schema_version": "1.6.3",
"summary": "ruby-rack vulnerabilities"
}
CVE-2023-27539 (GCVE-0-2023-27539)
Vulnerability from cvelistv5 – Published: 2025-01-09 00:33 – Updated: 2025-01-09 21:24{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-27539",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-09T21:22:46.686498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-noinfo Not enough information",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T21:24:51.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rack",
"vendor": "Rails",
"versions": [
{
"lessThan": "2.2.6.4",
"status": "affected",
"version": "2.2.6.4",
"versionType": "custom"
},
{
"lessThan": "3.0.6.1",
"status": "affected",
"version": "3.0.6.1",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "There is a denial of service vulnerability in the header parsing component of Rack."
}
],
"providerMetadata": {
"dateUpdated": "2025-01-09T00:33:47.737Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
},
{
"url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp"
},
{
"url": "https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c"
},
{
"url": "https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20231208-0016/"
},
{
"url": "https://www.debian.org/security/2023/dsa-5530"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2023-27539",
"datePublished": "2025-01-09T00:33:47.737Z",
"dateReserved": "2023-03-02T17:14:03.403Z",
"dateUpdated": "2025-01-09T21:24:51.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26141 (GCVE-0-2024-26141)
Vulnerability from cvelistv5 – Published: 2024-02-28 23:28 – Updated: 2025-02-13 17:41- CWE-400 - Uncontrolled Resource Consumption
| URL | Tags |
|---|---|
| https://github.com/rack/rack/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/rack/rack/commit/4849132bef471… | x_refsource_MISC |
| https://github.com/rack/rack/commit/62457686b26d3… | x_refsource_MISC |
| https://discuss.rubyonrails.org/t/possible-dos-vu… | x_refsource_MISC |
| https://github.com/rubysec/ruby-advisory-db/blob/… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2024… | |
| https://security.netapp.com/advisory/ntap-2024051… |
| Vendor | Product | Version | |
|---|---|---|---|
| rack | rack |
Affected:
>= 3.0.0, < 3.0.9.1
Affected: >= 1.3.0, < 2.2.8.1 |
|
| rack_project | rack |
Affected:
3.0.0 , < 3.0.9.1
(custom)
Affected: 1.3.0 , < 2.2.8.1 (custom) cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:* |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.578Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6"
},
{
"name": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9"
},
{
"name": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b"
},
{
"name": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0007/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*"
],
"defaultStatus": "unknown",
"product": "rack",
"vendor": "rack_project",
"versions": [
{
"lessThan": "3.0.9.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
},
{
"lessThan": "2.2.8.1",
"status": "affected",
"version": "1.3.0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26141",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-03-05T18:23:59.367185Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-28T17:55:43.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.9.1"
},
{
"status": "affected",
"version": "\u003e= 1.3.0, \u003c 2.2.8.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T16:12:57.074Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6"
},
{
"name": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9"
},
{
"name": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b"
},
{
"name": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944",
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240510-0007/"
}
],
"source": {
"advisory": "GHSA-xj5v-6v4g-jfw6",
"discovery": "UNKNOWN"
},
"title": "Possible DoS Vulnerability with Range Header in Rack"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26141",
"datePublished": "2024-02-28T23:28:10.503Z",
"dateReserved": "2024-02-14T17:40:03.688Z",
"dateUpdated": "2025-02-13T17:41:04.867Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-26146 (GCVE-0-2024-26146)
Vulnerability from cvelistv5 – Published: 2024-02-28 23:28 – Updated: 2025-02-13 17:41- CWE-1333 - Inefficient Regular Expression Complexity
| URL | Tags |
|---|---|
| https://github.com/rack/rack/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/rack/rack/commit/30b8e39a578b2… | x_refsource_MISC |
| https://github.com/rack/rack/commit/6c5d90bdcec09… | x_refsource_MISC |
| https://github.com/rack/rack/commit/a227cd793778c… | x_refsource_MISC |
| https://github.com/rack/rack/commit/e4c117749ba24… | x_refsource_MISC |
| https://discuss.rubyonrails.org/t/possible-denial… | x_refsource_MISC |
| https://github.com/rubysec/ruby-advisory-db/blob/… | x_refsource_MISC |
| https://lists.debian.org/debian-lts-announce/2024… | |
| https://security.netapp.com/advisory/ntap-2024051… |
| Vendor | Product | Version | |
|---|---|---|---|
| rack | rack |
Affected:
>= 3.0.0, < 3.0.9.1
Affected: >= 2.2.0, < 2.2.8.1 Affected: >= 2.1.0, < 2.1.4.4 Affected: < 2.0.9.4 |
|
| rack_project | rack |
Affected:
2.1.0 , < 2.1.4.4
(custom)
Affected: 2.2.0 , < 2.2.8.1 (custom) Affected: 3.0.0 , < 3.0.9.1 (custom) cpe:2.3:a:rack_project:rack:2.2.0:*:*:*:*:ruby:*:* cpe:2.3:a:rack_project:rack:2.1.0:*:*:*:*:ruby:*:* cpe:2.3:a:rack_project:rack:3.0.0:-:*:*:*:ruby:*:* |
|
| rack_project | rack |
Affected:
0 , < 2.0.9.4
(custom)
cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:* |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:rack_project:rack:2.2.0:*:*:*:*:ruby:*:*",
"cpe:2.3:a:rack_project:rack:2.1.0:*:*:*:*:ruby:*:*",
"cpe:2.3:a:rack_project:rack:3.0.0:-:*:*:*:ruby:*:*"
],
"defaultStatus": "unknown",
"product": "rack",
"vendor": "rack_project",
"versions": [
{
"lessThan": "2.1.4.4",
"status": "affected",
"version": "2.1.0",
"versionType": "custom"
},
{
"lessThan": "2.2.8.1",
"status": "affected",
"version": "2.2.0",
"versionType": "custom"
},
{
"lessThan": "3.0.9.1",
"status": "affected",
"version": "3.0.0",
"versionType": "custom"
}
]
},
{
"cpes": [
"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*"
],
"defaultStatus": "unknown",
"product": "rack",
"vendor": "rack_project",
"versions": [
{
"lessThan": "2.0.9.4",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-26146",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-29T17:31:54.207314Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-25T16:39:52.274Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:59:32.576Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
},
{
"name": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"
},
{
"name": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"
},
{
"name": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"
},
{
"name": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"
},
{
"name": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"
},
{
"tags": [
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0006/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c 3.0.9.1"
},
{
"status": "affected",
"version": "\u003e= 2.2.0, \u003c 2.2.8.1"
},
{
"status": "affected",
"version": "\u003e= 2.1.0, \u003c 2.1.4.4"
},
{
"status": "affected",
"version": "\u003c 2.0.9.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1333",
"description": "CWE-1333: Inefficient Regular Expression Complexity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-10T17:12:58.798Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f"
},
{
"name": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716"
},
{
"name": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582"
},
{
"name": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f"
},
{
"name": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd"
},
{
"name": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942",
"tags": [
"x_refsource_MISC"
],
"url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942"
},
{
"name": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240510-0006/"
}
],
"source": {
"advisory": "GHSA-54rr-7fvw-6x8f",
"discovery": "UNKNOWN"
},
"title": "Possible Denial of Service Vulnerability in Rack Header Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-26146",
"datePublished": "2024-02-28T23:28:01.158Z",
"dateReserved": "2024-02-14T17:40:03.689Z",
"dateUpdated": "2025-02-13T17:41:07.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
ubuntu-cve-2023-27539
Vulnerability from osv_ubuntu
There is a denial of service vulnerability in the header parsing component of Rack.
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "librack-ruby",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm7"
},
{
"binary_name": "librack-ruby1.8",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm7"
},
{
"binary_name": "librack-ruby1.9.1",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm7"
},
{
"binary_name": "ruby-rack",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm7"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.5.2-3+deb8u3ubuntu1~esm7?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2-3+deb8u3ubuntu1~esm7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.2-1",
"1.5.2-1ubuntu0.1~esm1",
"1.5.2-3+deb8u3ubuntu1~esm2",
"1.5.2-3+deb8u3ubuntu1~esm3",
"1.5.2-3+deb8u3ubuntu1~esm4",
"1.5.2-3+deb8u3ubuntu1~esm6"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "1.6.4-3ubuntu0.2+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.6.4-3ubuntu0.2+esm5?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4-3ubuntu0.2+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.2-4",
"1.6.4-2",
"1.6.4-3",
"1.6.4-3ubuntu0.1",
"1.6.4-3ubuntu0.2",
"1.6.4-3ubuntu0.2+esm1",
"1.6.4-3ubuntu0.2+esm2",
"1.6.4-3ubuntu0.2+esm4"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "1.6.4-4ubuntu0.2+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.6.4-4ubuntu0.2+esm5?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4-4ubuntu0.2+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6.4-4",
"1.6.4-4ubuntu0.1",
"1.6.4-4ubuntu0.2",
"1.6.4-4ubuntu0.2+esm1",
"1.6.4-4ubuntu0.2+esm2",
"1.6.4-4ubuntu0.2+esm4"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.0.7-2ubuntu0.1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1+esm4?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.7-2ubuntu0.1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.6-3",
"2.0.7-2",
"2.0.7-2ubuntu0.1",
"2.0.7-2ubuntu0.1+esm1",
"2.0.7-2ubuntu0.1+esm2",
"2.0.7-2ubuntu0.1+esm3"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.1.4-5ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4-5ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.4-3",
"2.1.4-4",
"2.1.4-5",
"2.1.4-5ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.1.4-5ubuntu1+esm4"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1+esm4?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4-5ubuntu1+esm4"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.4-3",
"2.1.4-4",
"2.1.4-5",
"2.1.4-5ubuntu1",
"2.1.4-5ubuntu1+esm2",
"2.1.4-5ubuntu1+esm3"
]
}
],
"aliases": [],
"details": "There is a denial of service vulnerability in the header parsing component of Rack.",
"id": "UBUNTU-CVE-2023-27539",
"modified": "2025-10-14T17:03:15Z",
"published": "2023-03-22T00:00:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2023-27539"
},
{
"type": "REPORT",
"url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6689-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-27539"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6905-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7036-1"
}
],
"related": [
"USN-6689-1",
"USN-6905-1",
"USN-7036-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2023-27539"
]
}
ubuntu-cve-2024-26141
Vulnerability from osv_ubuntu
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
| URL | Type | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "librack-ruby",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
},
{
"binary_name": "librack-ruby1.8",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
},
{
"binary_name": "librack-ruby1.9.1",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
},
{
"binary_name": "ruby-rack",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.5.2-3+deb8u3ubuntu1~esm8?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2-3+deb8u3ubuntu1~esm8"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.2-1",
"1.5.2-1ubuntu0.1~esm1",
"1.5.2-3+deb8u3ubuntu1~esm2",
"1.5.2-3+deb8u3ubuntu1~esm3",
"1.5.2-3+deb8u3ubuntu1~esm4",
"1.5.2-3+deb8u3ubuntu1~esm6",
"1.5.2-3+deb8u3ubuntu1~esm7"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "1.6.4-3ubuntu0.2+esm6"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.6.4-3ubuntu0.2+esm6?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4-3ubuntu0.2+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.2-4",
"1.6.4-2",
"1.6.4-3",
"1.6.4-3ubuntu0.1",
"1.6.4-3ubuntu0.2",
"1.6.4-3ubuntu0.2+esm1",
"1.6.4-3ubuntu0.2+esm2",
"1.6.4-3ubuntu0.2+esm4",
"1.6.4-3ubuntu0.2+esm5"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "1.6.4-4ubuntu0.2+esm6"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.6.4-4ubuntu0.2+esm6?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4-4ubuntu0.2+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6.4-4",
"1.6.4-4ubuntu0.1",
"1.6.4-4ubuntu0.2",
"1.6.4-4ubuntu0.2+esm1",
"1.6.4-4ubuntu0.2+esm2",
"1.6.4-4ubuntu0.2+esm4",
"1.6.4-4ubuntu0.2+esm5"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.0.7-2ubuntu0.1+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1+esm5?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.7-2ubuntu0.1+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.6-3",
"2.0.7-2",
"2.0.7-2ubuntu0.1",
"2.0.7-2ubuntu0.1+esm1",
"2.0.7-2ubuntu0.1+esm2",
"2.0.7-2ubuntu0.1+esm3",
"2.0.7-2ubuntu0.1+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.1.4-5ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4-5ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.4-3",
"2.1.4-4",
"2.1.4-5",
"2.1.4-5ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.1.4-5ubuntu1+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1+esm5?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4-5ubuntu1+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.4-3",
"2.1.4-4",
"2.1.4-5",
"2.1.4-5ubuntu1",
"2.1.4-5ubuntu1+esm2",
"2.1.4-5ubuntu1+esm3",
"2.1.4-5ubuntu1+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.2.7-1ubuntu0.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.2.7-1ubuntu0.1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.7-1ubuntu0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.4-3",
"2.2.7-1"
]
}
],
"aliases": [],
"details": "Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.",
"id": "UBUNTU-CVE-2024-26141",
"modified": "2025-07-18T16:56:28Z",
"published": "2024-02-29T00:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-26141"
},
{
"type": "REPORT",
"url": "https://github.com/rack/rack/releases/tag/v2.2.8.1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6689-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26141"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6837-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6837-2"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7036-1"
}
],
"related": [
"USN-6689-1",
"USN-6837-1",
"USN-6837-2",
"USN-7036-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2024-26141"
]
}
ubuntu-cve-2024-26146
Vulnerability from osv_ubuntu
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
| URL | Type | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"affected": [
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "librack-ruby",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
},
{
"binary_name": "librack-ruby1.8",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
},
{
"binary_name": "librack-ruby1.9.1",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
},
{
"binary_name": "ruby-rack",
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm8"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:14.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.5.2-3+deb8u3ubuntu1~esm8?arch=source\u0026distro=trusty/esm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.2-3+deb8u3ubuntu1~esm8"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.2-1",
"1.5.2-1ubuntu0.1~esm1",
"1.5.2-3+deb8u3ubuntu1~esm2",
"1.5.2-3+deb8u3ubuntu1~esm3",
"1.5.2-3+deb8u3ubuntu1~esm4",
"1.5.2-3+deb8u3ubuntu1~esm6",
"1.5.2-3+deb8u3ubuntu1~esm7"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "1.6.4-3ubuntu0.2+esm6"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:16.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.6.4-3ubuntu0.2+esm6?arch=source\u0026distro=esm-apps/xenial"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4-3ubuntu0.2+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.5.2-4",
"1.6.4-2",
"1.6.4-3",
"1.6.4-3ubuntu0.1",
"1.6.4-3ubuntu0.2",
"1.6.4-3ubuntu0.2+esm1",
"1.6.4-3ubuntu0.2+esm2",
"1.6.4-3ubuntu0.2+esm4",
"1.6.4-3ubuntu0.2+esm5"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "1.6.4-4ubuntu0.2+esm6"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:18.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@1.6.4-4ubuntu0.2+esm6?arch=source\u0026distro=esm-apps/bionic"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.4-4ubuntu0.2+esm6"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.6.4-4",
"1.6.4-4ubuntu0.1",
"1.6.4-4ubuntu0.2",
"1.6.4-4ubuntu0.2+esm1",
"1.6.4-4ubuntu0.2+esm2",
"1.6.4-4ubuntu0.2+esm4",
"1.6.4-4ubuntu0.2+esm5"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.0.7-2ubuntu0.1+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:20.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1+esm5?arch=source\u0026distro=esm-apps/focal"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.0.7-2ubuntu0.1+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.0.6-3",
"2.0.7-2",
"2.0.7-2ubuntu0.1",
"2.0.7-2ubuntu0.1+esm1",
"2.0.7-2ubuntu0.1+esm2",
"2.0.7-2ubuntu0.1+esm3",
"2.0.7-2ubuntu0.1+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.1.4-5ubuntu1.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:22.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.1?arch=source\u0026distro=jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4-5ubuntu1.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.4-3",
"2.1.4-4",
"2.1.4-5",
"2.1.4-5ubuntu1"
]
},
{
"ecosystem_specific": {
"availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.1.4-5ubuntu1+esm5"
}
]
},
"package": {
"ecosystem": "Ubuntu:Pro:22.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1+esm5?arch=source\u0026distro=esm-apps/jammy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.4-5ubuntu1+esm5"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.1.4-3",
"2.1.4-4",
"2.1.4-5",
"2.1.4-5ubuntu1",
"2.1.4-5ubuntu1+esm2",
"2.1.4-5ubuntu1+esm3",
"2.1.4-5ubuntu1+esm4"
]
},
{
"ecosystem_specific": {
"availability": "No subscription required",
"binaries": [
{
"binary_name": "ruby-rack",
"binary_version": "2.2.7-1ubuntu0.1"
}
]
},
"package": {
"ecosystem": "Ubuntu:24.04:LTS",
"name": "ruby-rack",
"purl": "pkg:deb/ubuntu/ruby-rack@2.2.7-1ubuntu0.1?arch=source\u0026distro=noble"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.7-1ubuntu0.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.2.4-3",
"2.2.7-1"
]
}
],
"aliases": [],
"details": "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.",
"id": "UBUNTU-CVE-2024-26146",
"modified": "2025-07-18T16:56:28Z",
"published": "2024-02-29T00:15:00Z",
"references": [
{
"type": "REPORT",
"url": "https://ubuntu.com/security/CVE-2024-26146"
},
{
"type": "REPORT",
"url": "https://github.com/rack/rack/releases/tag/v2.2.8.1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6689-1"
},
{
"type": "REPORT",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26146"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6837-1"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-6837-2"
},
{
"type": "ADVISORY",
"url": "https://ubuntu.com/security/notices/USN-7036-1"
}
],
"related": [
"USN-6689-1",
"USN-6837-1",
"USN-6837-2",
"USN-7036-1"
],
"schema_version": "1.7.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
},
{
"score": "medium",
"type": "Ubuntu"
}
],
"upstream": [
"CVE-2024-26146"
]
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.