7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-44571

GHSA ID

GHSA-93pm-5p5f-3ghx

EPSS Score

0.84251%

CWE

CWE-400

Published

1/18/2023

Updated

10/23/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-44571

CVE-2022-44571: Denial of Service Vulnerability in Rack Content-Disposition parsing

There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1 Impact

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Releases

The fixed releases are available at the normal locations. Workarounds

There are no feasible workarounds for this issue. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series
2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series
2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series
3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-44571

GHSA ID

GHSA-93pm-5p5f-3ghx

EPSS Score

0.84251%

CWE

CWE-400

Published

1/18/2023

Updated

10/23/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	>= 2.0.0, < 2.0.9.2	2.0.9.2
rack	rubygems	>= 2.1.0, < 2.1.4.2	2.1.4.2
rack	rubygems	>= 2.2.0, < 2.2.6.1	2.2.6.1
rack	rubygems	>= 3.0.0.0, < 3.0.4.1	3.0.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis:

In progress

WAF Protection Rules

WAF Rule

T**r* is * **ni*l o* s*rvi** vuln*r**ility in t** *ont*nt-*isposition p*rsin* *ompon*nt o* R**k. T*is vuln*r**ility **s ***n *ssi*n** t** *V* i**nti*i*r *V*-****-*****. V*rsions *****t**: >= *.*.* Not *****t**: Non*. *ix** V*rsions: *.*.*.*, *.*.*.*

Reasoning

No *n*lysis *v*il**l*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-44571: Denial of Service Vulnerability in Rack Content-Disposition parsing

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI