Added CVE-2024-35231 for rack-contrib.

postmodern · postmodern · commit a15b67c34e89 · 2024-05-29T19:34:10.000-07:00
diff --git a/gems/rack-contrib/CVE-2024-35231.yml b/gems/rack-contrib/CVE-2024-35231.yml
@@ -0,0 +1,38 @@
+---
+gem: rack-contrib
+cve: 2024-35231
+ghsa: 8c8q-2xw3-j869
+url: https://nvd.nist.gov/vuln/detail/CVE-2024-35231
+title: Denial of Service in rack-contrib via "profiler_runs" parameter
+date: 2024-05-27
+description: |
+  rack-contrib prior to version 2.5.0 is vulnerable to a Denial of Service
+  via the `profiler_runs` HTTP request parameter.
+
+  Versions Affected: < 2.5.0
+  Fixed Versions: >= 2.5.0
+
+  # Impact
+
+  An attacker can trigger a Denial of Service by sending an HTTP request with
+  an overly large `profiler_runs` parameter.
+
+  ```shell
+  curl  "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"
+  ```
+
+  # Releases
+
+  The fixed releases are available at the normal locations.
+
+  # Workarounds
+
+  There are no feasible workarounds for this issue.
+
+cvss_v3: 8.6
+patched_versions:
+  - ">= 2.5.0"
+related:
+  url:
+    - https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7
+    - https://github.com/advisories/GHSA-8c8q-2xw3-j869
