CVE-2011-5036

Rack < 1.1.3, 1.2.x < 1.2.5, 1.3.x < 1.3.6 - Denial of Service via Hash Collision

Title source: llm
STIX 2.1

Description

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

References (6)

Core 6
Core References
Various Sources x_refsource_misc
http://www.nruns.com/_downloads/advisory28122011.pdf
Exploit x_refsource_confirm
https://gist.github.com/52bbc6b9cc19ce330829
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/903934
Third Party Advisory mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2783
Various Sources x_refsource_misc
http://www.ocert.org/advisories/ocert-2011-003.html

Scores

EPSS 0.0128
EPSS Percentile 79.8%

Details

CWE
CWE-310
Status published
Products (14)
org.jruby/jruby-parent 0 - 1.6.5.1Maven
rack_project/rack 1.2.0
rack_project/rack 1.2.1
rack_project/rack 1.2.2
rack_project/rack 1.2.3
rack_project/rack 1.2.4
rack_project/rack 1.3.0
rack_project/rack 1.3.1
rack_project/rack 1.3.2
rack_project/rack 1.3.3
... and 4 more
Published Dec 30, 2011
Tracked Since Feb 18, 2026