File tree Expand file tree Collapse file tree 1 file changed +38
-0
lines changed Expand file tree Collapse file tree 1 file changed +38
-0
lines changed Original file line number Diff line number Diff line change
1
+ ---
2
+ gem : rack-contrib
3
+ cve : 2024-35231
4
+ ghsa : 8c8q-2xw3-j869
5
+ url : https://nvd.nist.gov/vuln/detail/CVE-2024-35231
6
+ title : Denial of Service in rack-contrib via "profiler_runs" parameter
7
+ date : 2024-05-27
8
+ description : |
9
+ rack-contrib prior to version 2.5.0 is vulnerable to a Denial of Service
10
+ via the `profiler_runs` HTTP request parameter.
11
+
12
+ Versions Affected: < 2.5.0
13
+ Fixed Versions: >= 2.5.0
14
+
15
+ # Impact
16
+
17
+ An attacker can trigger a Denial of Service by sending an HTTP request with
18
+ an overly large `profiler_runs` parameter.
19
+
20
+ ```shell
21
+ curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"
22
+ ```
23
+
24
+ # Releases
25
+
26
+ The fixed releases are available at the normal locations.
27
+
28
+ # Workarounds
29
+
30
+ There are no feasible workarounds for this issue.
31
+
32
+ cvss_v3 : 8.6
33
+ patched_versions :
34
+ - " >= 2.5.0"
35
+ related :
36
+ url :
37
+ - https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7
38
+ - https://github.com/advisories/GHSA-8c8q-2xw3-j869
You can’t perform that action at this time.
0 commit comments