Rack Gem Subject to Denial of Service via Hash Collisions

GHSA-v6j3-7jrw-hq2p · CVE-2011-5036

Published May 17, 2022 · Modified Nov 30, 2024

Description

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2011-5036
WEB https://gist.github.com/52bbc6b9cc19ce330829
WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml
WEB https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1
WEB https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
WEB http://www.debian.org/security/2013/dsa-2783
WEB http://www.kb.cert.org/vuls/id/903934
WEB http://www.nruns.com/_downloads/advisory28122011.pdf
WEB http://www.ocert.org/advisories/ocert-2011-003.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes