Known vulnerabilities in the rack package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Race Condition in How to fix Race Condition? Upgrade | <2.2.14 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the How to fix Allocation of Resources Without Limits or Throttling? Upgrade | <2.2.14>=3.0.0.beta1, <3.0.16>=3.1.0, <3.1.14 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Relative Path Traversal in the How to fix Relative Path Traversal? Upgrade | <2.2.13>=3.0.0.beta1, <3.0.14>=3.1.0, <3.1.12 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the How to fix Improper Output Neutralization for Logs? Upgrade | <2.2.12>=3.0.0.beta1, <3.0.13>=3.1.0, <3.1.11 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Improper Output Neutralization for Logs through the How to fix Improper Output Neutralization for Logs? Upgrade | <2.2.11>=3.0.0, <3.0.12>=3.1.0, <3.1.10 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Denial of Service (DoS) in handling of the How to fix Denial of Service (DoS)? Upgrade | >=1.3.0, <2.2.8.1>=3.0.0, <3.0.9.1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing Content-Type data in How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | >=0.4.0, <2.2.8.1>=3.0.0, <3.0.9.1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | <2.0.9.4>=2.1.0, <2.1.4.4>=2.2.0, <2.2.8.1>=3.0.0, <3.0.9.1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Denial of Service (DoS) via the Multipart MIME parsing functionality in How to fix Denial of Service (DoS)? Upgrade | <2.0.9.3>=2.1.0, <2.1.4.3>=2.2.0, <2.2.6.3>=3.0.0.beta1, <3.0.4.2 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the NOTE: Patches have been released to address this issue: 2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch How to fix Regular Expression Denial of Service (ReDoS)? Upgrade | >=1.5.0, <2.0.9.2>=2.1.0.0, <2.1.4.2>=2.2.0.0, <2.2.6.2>=3.0.0.0, <3.0.4.1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Denial of Service (DoS) via the Notes: Impacted code will use Rack's
It also includes reading POST data from a Rack request object like this:
How to fix Denial of Service (DoS)? Upgrade | >=1.2, <2.0.9.1>=2.1.0, <2.1.4.1>=2.2.0, <2.2.3.1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Arbitrary Code Injection. There is a possible shell-escape sequence injection vulnerability in Rack's Notes: Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this: How to fix Arbitrary Code Injection? Upgrade | <2.0.9.1>=2.1.0, <2.1.4.1>=2.2.0, <2.2.3.1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter. PoC
The server sees 3 parameters here: How to fix Web Cache Poisoning? Upgrade | <3.0.0.beta1 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated into processing an insecure or cross-origin request. How to fix Cross-site Request Forgery (CSRF)? Upgrade | <2.1.4>=2.2.0, <2.2.3 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Directory Traversal. If certain directories exist in a directory that is managed by How to fix Directory Traversal? Upgrade | <2.1.3 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Information Exposure. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. How to fix Information Exposure? Upgrade | <1.6.12>=2.0.0.alpha, <2.0.8 |
rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call. Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the How to fix Cross-site Scripting (XSS)? Upgrade | <1.6.11>=2.0.0, <2.0.6 |