CVE-2012-6109

Rack < 1.1.4, 1.2.x < 1.2.6, 1.3.x < 1.3.7, 1.4.x < 1.4.2 - Denial of Service via Crafted Content-Disposition Header

Title source: llm

Description

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

References (7)

Core 7

Core References

Issue Tracking x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=895277

Patch x_refsource_confirm

https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5

View Patch ZIP pw:eip

Various Sources x_refsource_confirm

http://rack.github.com/

Various Sources x_refsource_confirm

https://github.com/rack/rack/blob/master/README.rdoc

Mailing List x_refsource_misc

https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2013-0548.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2013-0544.html

Scores

EPSS 0.0083

EPSS Percentile 74.7%

Details

Status published

Products (26)

rack_project/rack 0.1

rack_project/rack 0.2

rack_project/rack 0.3

rack_project/rack 0.4

rack_project/rack 0.9

rack_project/rack 0.9.1

rack_project/rack 1.0.0

rack_project/rack 1.0.1

rack_project/rack 1.1.0

rack_project/rack 1.1.2

... and 16 more

Published Mar 01, 2013

Tracked Since Feb 18, 2026