CVE-2015-3225
ruby-rack - security update
EPSS 13.3%
Description
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
How to fix CVE-2015-3225
To remediate CVE-2015-3225, upgrade the affected package to a fixed version below.
- Debian/librack-ruby—upgrade to 1.1.0-4+squeeze3 or later
- Debian/ruby-rack—upgrade to 1.5.2-4 or later
- Debian/ruby-rack—upgrade to 1.4.1-2.1+deb7u1 or later
- —upgrade to 1.5.4 or later
Is CVE-2015-3225 being exploited?
Moderate — EPSS is 13.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (4)
- from 0, < 1.1.0-4+squeeze3
- from 0, < 1.5.2-4
- from 0, < 1.4.1-2.1+deb7u1
- >= 1.5.0, < 1.5.4