CVE-2022-44571 - Vulnerability Details

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Rack	Rack
Redhat	Satellite Satellite Capsule

Configuration 1 [-]

OR	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*

Package	CPE	Advisory	Released Date
Red Hat Satellite 6.14 for RHEL 8
rubygem-rack-0:2.2.7-1.el8sat	cpe:/a:redhat:satellite:6.14::el8	RHSA-2023:6818	2023-11-08T00:00:00Z
rubygem-rack-0:2.2.7-1.el8sat	cpe:/a:redhat:satellite_capsule:6.14::el8	RHSA-2023:6818	2023-11-08T00:00:00Z

References

Link	Providers
https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126
https://github.com/rubysec/ruby-advisory-db/tree/master/gems/rack/CVE-2022-44571.yml
https://nvd.nist.gov/vuln/detail/CVE-2022-44571
https://security.netapp.com/advisory/ntap-20231208-0013/
https://www.cve.org/CVERecord?id=CVE-2022-44571
https://www.debian.org/security/2023/dsa-5530

History

Thu, 13 Feb 2025 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Rack Rack rack
CPEs	cpe:2.3:a:rack_project:rack::::::ruby::*	cpe:2.3:a:rack:rack::::::ruby::*
Vendors & Products	Rack Project Rack Project rack	Rack Rack rack

MITRE

Status: PUBLISHED

Assigner: hackerone

Published: 2023-02-09T00:00:00

Updated: 2024-08-03T13:54:03.839Z

Reserved: 2022-11-01T00:00:00

Link: CVE-2022-44571

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-02-09T20:15:11.153

Modified: 2025-02-13T15:37:40.953

Link: CVE-2022-44571

Redhat

Severity : Moderate

Publid Date: 2023-01-20T00:00:00Z

Links: CVE-2022-44571 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object