7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-44572

GHSA ID

GHSA-rqv2-275x-2jq5

EPSS Score

0.48363%

CWE

CWE-400

Published

1/18/2023

Updated

10/23/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-44572

CVE-2022-44572: Denial of service via multipart parsing in Rack

There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1 Impact

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Releases

The fixed releases are available at the normal locations. Workarounds

There are no feasible workarounds for this issue. Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

2-0-Forbid-control-characters-in-attributes.patch - Patch for 2.0 series
2-1-Forbid-control-characters-in-attributes.patch - Patch for 2.1 series
2-2-Forbid-control-characters-in-attributes.patch - Patch for 2.2 series
3-0-Forbid-control-characters-in-attributes.patch - Patch for 3.0 series

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-44572

GHSA ID

GHSA-rqv2-275x-2jq5

EPSS Score

0.48363%

CWE

CWE-400

Published

1/18/2023

Updated

10/23/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	>= 2.0.0, < 2.0.9.2	2.0.9.2
rack	rubygems	>= 2.1.0.0, < 2.1.4.2	2.1.4.2
rack	rubygems	>= 2.2.0.0, < 2.2.6.1	2.2.6.1
rack	rubygems	>= 3.0.0.0, < 3.0.4.1	3.0.4.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from inefficient regex handling in multipart boundary parsing (CWE-1333). The patches explicitly forbid control characters in attributes, indicating the vulnerable functions were involved in parsing multipart headers/boundaries. Rack's multipart parser (parser.rb) is the logical component handling this logic. The combination of CWE-1333 reference and the patch's focus on attribute validation strongly points to regex-based parsing functions in this module as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**r* is * **ni*l o* s*rvi** vuln*r**ility in t** multip*rt p*rsin* *ompon*nt o* R**k. T*is vuln*r**ility **s ***n *ssi*n** t** *V* i**nti*i*r *V*-****-*****. V*rsions *****t**: >= *.*.* Not *****t**: Non*. *ix** V*rsions: *.*.*.*, *.*.*.*, *.*.*.*,

Reasoning

T** vuln*r**ility st*ms *rom in***i*i*nt r***x **n*lin* in multip*rt *oun**ry p*rsin* (*W*-****). T** p*t***s *xpli*itly *or*i* *ontrol ***r**t*rs in *ttri*ut*s, in*i**tin* t** vuln*r**l* *un*tions w*r* involv** in p*rsin* multip*rt *****rs/*oun**ri*

7.5

Basic Information

Concerned about an active attack path?

CVE-2022-44572: Denial of service via multipart parsing in Rack

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI