CVE-2022-44571

NameCVE-2022-44571
DescriptionThere is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3298-1, DSA-5530-1, ELA-785-1
Debian Bugs1029832

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)jessie, jessie (lts)1.5.2-3+deb8u4vulnerable
stretch (security)1.6.4-4+deb9u2vulnerable
stretch (lts), stretch1.6.4-4+deb9u6fixed
buster (security), buster, buster (lts)2.0.6-3+deb10u4fixed
bullseye (security), bullseye2.1.4-3+deb11u2fixed
bookworm (security), bookworm2.2.6.4-1+deb12u1fixed
sid, trixie2.2.7-1.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourcejessie(unfixed)end-of-life
ruby-racksourcestretch1.6.4-4+deb9u4ELA-785-1
ruby-racksourcebuster2.0.6-3+deb10u2DLA-3298-1
ruby-racksourcebullseye2.1.4-3+deb11u1DSA-5530-1
ruby-racksource(unstable)2.2.4-31029832

Notes

https://github.com/rack/rack/commit/4e33ad10bf5f16d25c156f905bcc548e7f787bc3 (v2.0.9.2)
https://github.com/rack/rack/commit/9b5fb5c7ef0e39b959a6c5c0005d9af44a29d6f8 (v2.1.4.2)
https://github.com/rack/rack/commit/ee25ab9a7ee981d7578f559701085b0cf39bde77 (v2.2.6.1)
Search for package or bug name: Reporting problems