CVE-2024-26141

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26141.json",
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/rack/rack

Affected ranges

Type

GIT

Repo

https://github.com/rack/rack

Events

Introduced

52901caf09ebcda879512a8605059963a49df55d

Fixed

a4bc5e0f41c750135969ceece8772ab112dc8f17

Database specific

{
    "versions": [
        {
            "introduced": "3.0.0"
        },
        {
            "fixed": "3.0.9.1"
        }
    ]
}

Type

GIT

Repo

https://github.com/rack/rack

Events

Introduced

a50dda57c1426b6b38ed06fa08cab154285c8057

Fixed

e83001100ad9dd24e1744b13669dcb2736a13ebd

Database specific

{
    "versions": [
        {
            "introduced": "1.3.0"
        },
        {
            "fixed": "2.2.8.1"
        }
    ]
}

Affected versions

1.*

1.3.0

1.4.0

1.4.1

1.5.0

1.5.1

1.5.2

1.6.0

1.6.0.beta

1.6.0.beta2

2.*

2.0.0

2.0.0.alpha

2.0.0.rc1

2.0.1

2.1.0

2.2.0

2.2.3

2.2.3.1

2.2.4

3.*

3.0.0

v2.*

v2.2.1

v2.2.2

v2.2.5

v2.2.6

v2.2.6.1

v2.2.6.2

v2.2.6.3

v2.2.6.4

v2.2.7

v2.2.8

v3.*

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.4.1

v3.0.4.2

v3.0.5

v3.0.6

v3.0.6.1

v3.0.7

v3.0.8

v3.0.9