CVE-2024-26141

{"id": "CVE-2024-26141", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2024-02-29T00:15:51.403", "references": [{"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml", "tags": ["Exploit", "Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html", "tags": ["Mailing List"], "source": "security-advisories@github.com"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0007/", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}, {"url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html", "tags": ["Mailing List"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20240510-0007/", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-400"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1."}, {"lang": "es", "value": "Rack es una interfaz modular de servidor web Ruby. Los encabezados de rango cuidadosamente elaborados pueden hacer que un servidor responda con una respuesta inesperadamente grande. Responder con respuestas tan amplias podr\u00eda dar lugar a un problema de denegaci\u00f3n de servicio. Las aplicaciones vulnerables utilizar\u00e1n el middleware `Rack::File` o los m\u00e9todos `Rack::Utils.byte_ranges` (esto incluye aplicaciones Rails). La vulnerabilidad se solucion\u00f3 en 3.0.9.1 y 2.2.8.1."}], "lastModified": "2025-02-14T15:33:08.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "746C9255-2FA2-4E9C-94DA-379396561EB1", "versionEndExcluding": "2.2.8.1", "versionStartIncluding": "1.3.0"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "FF0C5646-2AB6-4887-BA17-970964A53E3C", "versionEndExcluding": "3.0.9.1", "versionStartIncluding": "3.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}