Miggo Logo

CVE-2013-0184: Rack vulnerable to Denial of Service

4.3

CVSS Score

Basic Information

EPSS Score
0.70587%
CWE
-
Published
5/5/2022
Updated
3/8/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:N/I:N/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
rackrubygems>= 1.1.0, < 1.1.51.1.5
rackrubygems>= 1.2.0, < 1.2.71.2.7
rackrubygems>= 1.3.0, < 1.3.91.3.9
rackrubygems>= 1.4.0, < 1.4.41.4.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly mentions Rack::Auth::AbstractRequest and 'symbolized arbitrary strings'. The commit message confirms the security fix targeted this class. In Rack's authentication flow, the #scheme method typically processes the Authorization header and would be the logical place where user input gets symbolized. Symbolizing attacker-controlled strings is a well-known anti-pattern in Ruby due to memory retention issues.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Unsp**i*i** vuln*r**ility in `R**k::*ut*::**str**tR*qu*st` in R**k *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *.*.x ***or* *.*.*, *n* *.*.x ***or* *.*.* *llows r*mot* *tt**k*rs to **us* * **ni*l o* s*rvi** vi* unknown v**tors r*l*t** to "sym*oliz** *r*i

Reasoning

T** vuln*r**ility **s*ription *xpli*itly m*ntions `R**k::*ut*::**str**tR*qu*st` *n* 'sym*oliz** *r*itr*ry strin*s'. T** *ommit m*ss*** *on*irms t** s**urity *ix t*r**t** t*is *l*ss. In R**k's *ut**nti**tion *low, t** `#s***m*` m*t*o* typi**lly pro**s