6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39316

GHSA ID

GHSA-cj83-2ww7-mvq7

EPSS Score

0.71755%

CWE

CWE-1333

Published

7/3/2024

Updated

11/5/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-39316

CVE-2024-39316: Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted Accept-Encoding or Accept-Language headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).

Details

The fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-39316

CVE-2024-39316:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-39316

GHSA ID

GHSA-cj83-2ww7-mvq7

EPSS Score

0.71755%

CWE

CWE-1333

Published

7/3/2024

Updated

11/5/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	>= 3.1.0, < 3.1.5	3.1.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability exists in parse_http_accept_header which used problematic regex patterns for splitting headers. The commit diff shows replacement of regex splits with simple string splits and strip operations to mitigate ReDoS. The accept_encoding and accept_language methods are explicitly mentioned in advisories as entry points that trigger the vulnerable parsing logic. The Rack::Deflater middleware's use of accept_encoding (via Utils.select_best_encoding) creates an implicit attack surface even when applications don't directly use these methods.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-39316: Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Summary

Details

CVE-2024-39316:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2024-39316: Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Summary

Details

6.5

6.5

Basic Information

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI