USN-7036-1

Source
https://ubuntu.com/security/notices/USN-7036-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7036-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-7036-1
Related
Published
2024-09-26T04:19:46.522367Z
Modified
2024-09-26T04:19:46.522367Z
Summary
ruby-rack vulnerabilities
Details

It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-30122)

It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application. (CVE-2022-30123)

It was discovered that Rack did not properly structure regular expressions in some of its parsing components, which could result in uncontrolled resource consumption if an application using Rack received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-44570, CVE-2022-44571)

It was discovered that Rack did not properly structure regular expressions in its multipart parsing component, which could result in uncontrolled resource consumption if an application using Rack to parse multipart posts received specially crafted input. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2022-44572)

It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2023-27530)

It was discovered that Rack incorrectly handled certain regular expressions. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2023-27539)

It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2024-25126)

It was discovered that Rack incorrectly handled certain Range headers. A remote attacker could possibly use this issue to cause Rack to create large responses, leading to a denial of service. (CVE-2024-26141)

It was discovered that Rack incorrectly handled certain crafted headers. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. (CVE-2024-26146)

References

Affected packages

Ubuntu:22.04:LTS / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/ubuntu/ruby-rack?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.4-5ubuntu1.1

Affected versions

2.*

2.1.4-3
2.1.4-4
2.1.4-5
2.1.4-5ubuntu1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "2.1.4-5ubuntu1.1",
            "binary_name": "ruby-rack"
        }
    ]
}