CVE-2011-5036 — librack-ruby - several

Description

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

How to fix CVE-2011-5036

To remediate CVE-2011-5036, upgrade the affected package to a fixed version below.

Debian/librack-ruby—upgrade to 1.1.0-4+squeeze1 or later
Debian/ruby-rack—upgrade to 1.4.0-1 or later
—upgrade to 1.6.5.1 or later
—upgrade to 1.1.3 or later

Is CVE-2011-5036 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

from 0, < 1.1.0-4+squeeze1
from 0, < 1.4.0-1
from 0, < 1.6.5.1
from 0, < 1.1.3

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-5036
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2011-5036
WEBgist.github.com/52bbc6b9cc19ce330829
WEBgithub.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml