rack@1.6.4 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the rack package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • L
Race Condition

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Race Condition in Rack::Session::Pool middleware, which allows an attacker to restore and use a deleted session. The attacker must be in possession of a valid session cookie and the attack must be timed to coincide with a disconnection from the long-running session by another user.

How to fix Race Condition?

Upgrade rack to version 2.2.14 or higher.

<2.2.14
  • H
Allocation of Resources Without Limits or Throttling

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Rack::QueryParser. An attacker can exhaust memory and CPU by sending HTTP requests containing an excessively large number of &-separated query parameters.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade rack to version 2.2.14, 3.0.16, 3.1.14 or higher.

<2.2.14>=3.0.0.beta1, <3.0.16>=3.1.0, <3.1.14
  • H
Relative Path Traversal

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Relative Path Traversal in the can_serve() function in Rack::Static that enables local file inclusion. An attacker who knows the exact path to any file in the root: file directory can access it by supplying a path traversing pathname.

How to fix Relative Path Traversal?

Upgrade rack to version 2.2.13, 3.0.14, 3.1.12 or higher.

<2.2.13>=3.0.0.beta1, <3.0.14>=3.1.0, <3.1.12
  • M
Improper Output Neutralization for Logs

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs in the Rack::Sendfile middleware which logs values from the X-Sendfile-Type header. An attacker can inject messages into logs by including escape sequences such as newline characters in sent headers.

How to fix Improper Output Neutralization for Logs?

Upgrade rack to version 2.2.12, 3.0.13, 3.1.11 or higher.

<2.2.12>=3.0.0.beta1, <3.0.13>=3.1.0, <3.1.11
  • H
Improper Output Neutralization for Logs

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Improper Output Neutralization for Logs through the Rack::CommonLogger process. An attacker can manipulate log entries by crafting input that includes newline characters to insert fraudulent entries or obscure real activity.

How to fix Improper Output Neutralization for Logs?

Upgrade rack to version 2.2.11, 3.0.12, 3.1.10 or higher.

<2.2.11>=3.0.0, <3.0.12>=3.1.0, <3.1.10
  • H
Denial of Service (DoS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) in handling of the Range request header. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. This issue is present when the Rack::File middleware or the Rack::Utils.byte_ranges methods are used (which includes applications built with Rails).

How to fix Denial of Service (DoS)?

Upgrade rack to version 2.2.8.1, 3.0.9.1 or higher.

>=1.3.0, <2.2.8.1>=3.0.0, <3.0.9.1
  • M
Regular Expression Denial of Service (ReDoS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) when parsing Content-Type data in media_type.rb, causing a slow-down in parsing performance. Code using any of the following may be vulnerable: request.media_type, request.media_type_params, Rack::MediaType.type(content_type)

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade rack to version 2.2.8.1, 3.0.9.1 or higher.

>=0.4.0, <2.2.8.1>=3.0.0, <3.0.9.1
  • M
Regular Expression Denial of Service (ReDoS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the build_nested_query() function, used when parsing Accept and Forwarded headers. This can cause parsing performance to slow down.

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade rack to version 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 or higher.

<2.0.9.4>=2.1.0, <2.1.4.4>=2.2.0, <2.2.8.1>=3.0.0, <3.0.9.1
  • H
Denial of Service (DoS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the Multipart MIME parsing functionality in parser.rb, which doesn't limit the number of total parts that can be uploaded. Exploiting this vulnerability is possible via a carefully crafted request, which might result in multipart parsing taking longer than expected.

How to fix Denial of Service (DoS)?

Upgrade rack to version 2.0.9.3, 2.1.4.3, 2.2.6.3, 3.0.4.2 or higher.

<2.0.9.3>=2.1.0, <2.1.4.3>=2.2.0, <2.2.6.3>=3.0.0.beta1, <3.0.4.2
  • M
Regular Expression Denial of Service (ReDoS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the get_byte_ranges() range header parsing function in utils.rb.

NOTE: Patches have been released to address this issue: 2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch, 3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch

How to fix Regular Expression Denial of Service (ReDoS)?

Upgrade rack to version 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.4.1 or higher.

>=1.5.0, <2.0.9.2>=2.1.0.0, <2.1.4.2>=2.2.0.0, <2.2.6.2>=3.0.0.0, <3.0.4.1
  • H
Denial of Service (DoS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the multipart parsing component. Exploiting this vulnerability is possible when carefully crafted multipart POST requests cause Rack's multipart parser to take much longer than expected.

Notes:

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

It also includes reading POST data from a Rack request object like this:

p request.POST # read POST data 

p request.params # reads both query params and POST data

How to fix Denial of Service (DoS)?

Upgrade rack to version 2.0.9.1, 2.1.4.1, 2.2.3.1 or higher.

>=1.2, <2.0.9.1>=2.1.0, <2.1.4.1>=2.2.0, <2.2.3.1
  • C
Arbitrary Code Injection

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Arbitrary Code Injection. There is a possible shell-escape sequence injection vulnerability in Rack's Lint and CommonLogger components. Carefully crafted requests can cause shell escape sequences to be written to the terminal via Rack's Lint middleware and CommonLogger middleware. These escape sequences can be leveraged to possibly execute commands in the victim's terminal.

Notes:

Impacted applications will have either of these middleware installed, and vulnerable apps may have something like this:use Rack::Lint or use Rack::CommonLogger.

How to fix Arbitrary Code Injection?

Upgrade rack to version 2.0.9.1, 2.1.4.1, 2.2.3.1 or higher.

<2.0.9.1>=2.1.0, <2.1.4.1>=2.2.0, <2.2.3.1
  • M
Web Cache Poisoning

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configuration) and the server. This can result in malicious requests being cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and therefore would not include it in a cache key of an unkeyed parameter.

PoC

GET /?q=legitimate&utm_content=1;q=malicious HTTP/1.1

Host: somesite.com

Upgrade-Insecure-Requests: 1		

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.83 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,imag e/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate			

Accept-Language: en-US,en;q=0.9 Connection: close			

The server sees 3 parameters here: q, utm_content and then q again. On the other hand, the proxy considers this full string: 1;q=malicious as the value of utm_content, which is why the cache key would only contain somesite.com/?q=legitimate.

How to fix Web Cache Poisoning?

Upgrade rack to version 3.0.0.beta1 or higher.

<3.0.0.beta1
  • M
Cross-site Request Forgery (CSRF)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated into processing an insecure or cross-origin request.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade rack to version 2.1.4, 2.2.3 or higher.

<2.1.4>=2.2.0, <2.2.3
  • H
Directory Traversal

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Directory Traversal. If certain directories exist in a directory that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.

How to fix Directory Traversal?

Upgrade rack to version 2.1.3 or higher.

<2.1.3
  • M
Information Exposure

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Information Exposure. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

How to fix Information Exposure?

Upgrade rack to version 1.6.12, 2.0.8 or higher.

<1.6.12>=2.0.0.alpha, <2.0.8
  • M
Cross-site Scripting (XSS)

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the scheme method on Rack::Request.

How to fix Cross-site Scripting (XSS)?

Upgrade rack to version 1.6.11, 2.0.6 or higher.

<1.6.11>=2.0.0, <2.0.6