Version 3.1.8

rack

A modular Ruby web server interface.

Install Instructions

gem install rack
Current Version Release Date October 14, 2024
Language Ruby
Package URL (purl) pkg:gem/rack@3.1.8

Find rack vulnerabilities in your supply chain.

Scan for Free

rack Vulnerabilities

Sort by
icon CVE (Latest)
  • icon CVE (Latest)
  • icon CVE (Oldest)
  • icon CVSS Score (Highest)
  • icon CVSS Score (Lowest)
CVE question mark icon CVSS Score question mark icon CWE(s) question mark icon EPSS Score question mark icon EPSS % question mark icon Impacted Versions
CVE-2011-5036 Medium 5 CWE-400, CWE-310 0.00805 0.82358
  • 1.0.0–1.3.5
  • 0.1.0–0.9.1
CVE-2012-6109 Medium 4.3 CWE-400 0.01038 0.84535
  • 1.0.0–1.4.1
  • 0.1.0–0.9.1
CVE-2013-0184 Medium 4.3 CWE-400 0.01282 0.8631
  • 1.1.0–1.4.3
CVE-2013-0263 Medium 5.1 CWE-208 0.0835 0.94621
  • 1.1.0–1.5.1
CVE-2018-16471 Medium 6.1 CWE-79 0.00577 0.78668
  • 2.0.1–2.0.5
  • 1.0.0–1.6.10
  • 0.1.0–0.9.1
CVE-2019-16782 Medium 5.9 CWE-208, CWE-203, CWE-200 0.00249 0.65229
  • 2.0.1–2.0.7
  • 1.0.0–1.6.11
  • 0.1.0–0.9.1
CVE-2020-8161 High 8.6 CWE-22, CWE-548 0.00177 0.55896
  • 2.0.0.rc1–2.1.2
  • 1.0.0–1.6.13
  • 0.1.0–0.9.1
CVE-2020-8184 High 7.5 CWE-20 0.00171 0.55187
  • 2.0.0.rc1–2.2.2
  • 1.0.0–1.6.13
  • 0.1.0–0.9.1
CVE-2022-30122 High 7.5 CWE-1333, CWE-400 0.00145 0.51712
  • 2.0.0.rc1–2.2.3
  • 1.2.0–1.6.13
CVE-2022-30123 High 10 CWE-150 0.0056 0.78332
  • 2.0.0.rc1–2.2.3
  • 1.0.0–1.6.13
  • 0.1.0–0.9.1
CVE-2023-27530 High 7.5 CWE-400, CWE-770 0.0018 0.56314
  • 3.0.0–3.0.4.1
  • 2.0.0.rc1–2.2.6.2
  • 1.0.0–1.6.13
  • 0.1.0–0.9.1
CVE-2024-25126 Medium 5.3 CWE-1333 0.00044 0.11741
  • 3.0.0–3.0.9
  • 2.0.0.rc1–2.2.8
  • 1.0.0–1.6.13
  • 0.4.0–0.9.1
CVE-2024-26146 Medium 5.3 CWE-1333 0.00044 0.14587
  • 3.0.0–3.0.9
  • 2.0.0.rc1–2.2.8
  • 1.0.0–1.6.13
  • 0.1.0–0.9.1
CVE-2015-3225 Medium 5 CWE-19, CWE-400 0.06662 0.94052
  • 1.4.0–1.6.1
CVE-2022-44570 High 7.5 CWE-1333, CWE-400 0.00154 0.52809
  • 3.0.0–3.0.4
  • 2.0.0.rc1–2.2.6.1
  • 1.5.0–1.6.13
CVE-2024-26141 Medium 5.8 CWE-400 0.00044 0.11741
  • 3.0.0–3.0.9
  • 2.0.0.rc1–2.2.8
  • 1.3.0–1.6.13
CVE-2013-0183 Medium 5 CWE-119, CWE-400 0.04897 0.93058
  • 1.3.0–1.4.2
CVE-2013-0262 Medium 4.3 CWE-22, CWE-200 0.00503 0.77119
  • 1.4.0–1.5.1
CVE-2018-16470 High 7.5 CWE-400 0.00081 0.36291
  • 2.0.4–2.0.5
CVE-2022-44571 High 7.5 CWE-1333, CWE-400 0.00154 0.52809
  • 3.0.0–3.0.4
  • 2.0.1–2.2.6
CVE-2022-44572 High 7.5 CWE-1333, CWE-400 0.00128 0.49054
  • 3.0.0–3.0.4
  • 2.0.1–2.2.6
CVE-2023-27539 Unknown CWE-1333 None None
  • 3.0.0–3.0.6
  • 2.0.1–2.2.6.3
CVE-2024-39316 Medium 6.5 CWE-1333 0.00045 0.17206
  • 3.1.0–3.1.4

rack Vulnerability Remediation Guidance

CVE Description Full list of Impacted Versions Fix
CVE-2024-39316 Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix. 3.1.4, 3.1.3, 3.1.2, 3.1.1, 3.1.0 Patch → 3.1.5
CVE-2024-26146 Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2024-26141 Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1. 1.5.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1, 1.6.0, 1.3.5, 1.3.6 (Show all) Patch → 2.2.8.1
CVE-2024-25126 Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2023-27539 There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539. Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1 # Impact Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. # Workarounds Setting Regexp.timeout in Ruby 3.2 is a possible workaround. 2.0.4, 2.0.5, 3.0.3, 3.0.0, 2.2.3, 2.0.9.2, 2.2.6.1, 3.0.4 (Show all) Patch → 2.2.8.1
CVE-2023-27530 A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2022-44572 A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. 2.0.4, 2.0.5, 3.0.3, 3.0.0, 2.2.3, 3.0.4, 3.0.2, 2.2.4 (Show all) Patch → 2.2.8.1
CVE-2022-44571 There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted. 2.0.4, 2.0.5, 3.0.3, 3.0.0, 2.2.3, 3.0.4, 3.0.2, 2.2.4 (Show all) Patch → 2.2.8.1
CVE-2022-44570 A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted. 1.5.2, 1.5.0, 1.6.1, 1.6.0, 2.0.4, 1.5.1, 2.0.5, 1.5.3 (Show all) Patch → 2.2.8.1
CVE-2022-30123 A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2022-30122 A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. 1.2.1, 1.5.2, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1, 1.6.0 (Show all) Patch → 2.2.8.1
CVE-2020-8184 A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2020-8161 A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2019-16782 There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2018-16471 There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. 1.2.1, 1.5.2, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.6.1 (Show all) Patch → 2.2.8.1
CVE-2018-16470 There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size. 2.0.4, 2.0.5 Patch → 2.2.8.1
CVE-2015-3225 lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. 1.5.2, 1.5.0, 1.6.1, 1.6.0, 1.4.5, 1.4.2, 1.4.1, 1.4.4 (Show all) Patch → 2.2.8.1
CVE-2013-0263 Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. 1.2.1, 1.2.2, 1.3.2, 1.3.4, 1.5.0, 1.3.5, 1.3.6, 1.1.1 (Show all) Patch → 2.2.8.1
CVE-2013-0262 rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." 1.5.0, 1.4.2, 1.4.1, 1.4.4, 1.5.1, 1.4.0, 1.4.3 Patch → 2.2.8.1
CVE-2013-0184 Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." 1.2.1, 1.2.2, 1.3.2, 1.3.4, 1.3.5, 1.3.6, 1.1.1, 1.1.3 (Show all) Patch → 2.2.8.1
CVE-2013-0183 multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. 1.3.2, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.4.2, 1.4.1, 1.3.3 (Show all) Patch → 2.2.8.1
CVE-2012-6109 lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. 1.2.1, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.3.5, 1.3.6, 1.1.1 (Show all) Patch → 2.2.8.1
CVE-2011-5036 Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. 1.2.1, 1.0.1, 1.2.2, 1.3.2, 1.3.4, 1.3.5, 1.1.1, 1.2.0 (Show all) Patch → 2.2.8.1

Instantly see if these rack vulnerabilities affect your code.

Scan for Free