Denial of Service Vulnerability in Rack Multipart Parsing
GHSA-hxqx-xwvh-44m2 · CVE-2022-30122
Published · Modified
Description
There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122.
Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
Impact
Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.
Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:
params = Rack::Multipart.parse_multipart(env)
But it also includes reading POST data from a Rack request object like this:
p request.POST # read POST data
p request.params # reads both query params and POST data
All users running an affected release should either upgrade or use one of the workarounds immediately.
Workarounds
There are no feasible workarounds for this issue.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-30122
- WEB https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729
- PACKAGE https://github.com/rack/rack
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml
- WEB https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk
- WEB https://security.gentoo.org/glsa/202310-18
- WEB https://security.netapp.com/advisory/ntap-20231208-0012
- WEB https://www.debian.org/security/2023/dsa-5530
Ready to move
Start Securing
Free, no credit card | First findings in minutes