CVE-2013-0184: Rack vulnerable to Denial of Service
4.3
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.70587%
CWE
-
Published
5/5/2022
Updated
3/8/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:M/Au:N/C:N/I:N/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
rack | rubygems | >= 1.1.0, < 1.1.5 | 1.1.5 |
rack | rubygems | >= 1.2.0, < 1.2.7 | 1.2.7 |
rack | rubygems | >= 1.3.0, < 1.3.9 | 1.3.9 |
rack | rubygems | >= 1.4.0, < 1.4.4 | 1.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly mentions Rack::Auth::AbstractRequest
and 'symbolized arbitrary strings'. The commit message confirms the security fix targeted this class. In Rack's authentication flow, the #scheme
method typically processes the Authorization header and would be the logical place where user input gets symbolized. Symbolizing attacker-controlled strings is a well-known anti-pattern in Ruby due to memory retention issues.