CVE-2012-6109 — Rack vulnerable to REDoS

Description

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

How to fix CVE-2012-6109

To remediate CVE-2012-6109, upgrade the affected package to a fixed version below.

Debian/ruby-rack—upgrade to 1.4.1-2.1 or later
RubyGems/rack—upgrade to 1.1.4 or later

Is CVE-2012-6109 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.1-2.1
from 0, < 1.1.4

References (12)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2012-6109
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2012-6109
WEBaccess.redhat.com/errata/RHSA-2013:0544
WEBaccess.redhat.com/security/cve/CVE-2012-6109
WEB