rack@1.6.4 vulnerabilities

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Rack::QueryParser. An attacker can exhaust memory and CPU by sending HTTP requests containing an excessively large number of &-separated query parameters.

Upgrade rack to version 2.2.14, 3.0.16, 3.1.14 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Relative Path Traversal in the can_serve() function in Rack::Static that enables local file inclusion. An attacker who knows the exact path to any file in the root: file directory can access it by supplying a path traversing pathname.

Upgrade rack to version 2.2.13, 3.0.14, 3.1.12 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rack::Sendfile middleware which logs values from the X-Sendfile-Type header. An attacker can inject messages into logs by including escape sequences such as newline characters in sent headers.

Upgrade rack to version 2.2.12, 3.0.13, 3.1.11 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs through the Rack::CommonLogger process. An attacker can manipulate log entries by crafting input that includes newline characters to insert fraudulent entries or obscure real activity.

Upgrade rack to version 2.2.11, 3.0.12, 3.1.10 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) in handling of the Range request header. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. This issue is present when the Rack::File middleware or the Rack::Utils.byte_ranges methods are used (which includes applications built with Rails).

Upgrade rack to version 2.2.8.1, 3.0.9.1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing Content-Type data in media_type.rb, causing a slow-down in parsing performance. Code using any of the following may be vulnerable: request.media_type, request.media_type_params, Rack::MediaType.type(content_type)

Upgrade rack to version 2.2.8.1, 3.0.9.1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the build_nested_query() function, used when parsing Accept and Forwarded headers. This can cause parsing performance to slow down.

Upgrade rack to version 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Multipart MIME parsing functionality in parser.rb, which doesn't limit the number of total parts that can be uploaded. Exploiting this vulnerability is possible via a carefully crafted request, which might result in multipart parsing taking longer than expected.

Upgrade rack to version 2.0.9.3, 2.1.4.3, 2.2.6.3, 3.0.4.2 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the get_byte_ranges() range header parsing function in utils.rb.

NOTE: Patches have been released to address this issue: 2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch

Upgrade rack to version 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the multipart parsing component. Exploiting this vulnerability is possible when carefully crafted multipart POST requests cause Rack's multipart parser to take much longer than expected.

Notes:

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

It also includes reading POST data from a Rack request object like this:

p request.POST # read POST data 

p request.params # reads both query params and POST data

Upgrade rack to version 2.0.9.1, 2.1.4.1, 2.2.3.1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Arbitrary Code Injection. There is a possible shell-escape sequence injection vulnerability in Rack's Lint and CommonLogger components. Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.

Notes:

Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this:use Rack::Lint or use Rack::CommonLogger.

Upgrade rack to version 2.0.9.1, 2.1.4.1, 2.2.3.1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

PoC

GET /?q=legitimate&utm_content=1;q=malicious HTTP/1.1

Host: somesite.com

Upgrade-Insecure-Requests: 1		

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag e/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate			

Accept-Language: en-US,en;q=0.9 Connection: close			

The server sees 3 parameters here: q, utm_content and then q again. On the other hand, the proxy considers this full string: 1;q=malicious as the value of utm_content, which is why the cache key would only contain somesite.com/?q=legitimate.

Upgrade rack to version 3.0.0.beta1 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated into processing an insecure or cross-origin request.

Upgrade rack to version 2.1.4, 2.2.3 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Directory Traversal. If certain directories exist in a directory that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.

Upgrade rack to version 2.1.3 or higher.

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Information Exposure. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

Upgrade rack to version 1.6.12, 2.0.8 or higher.