Skip to content

Commit a15b67c

Browse files
committed
Added CVE-2024-35231 for rack-contrib.
1 parent f162724 commit a15b67c

File tree

1 file changed

+38
-0
lines changed

1 file changed

+38
-0
lines changed

gems/rack-contrib/CVE-2024-35231.yml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
---
2+
gem: rack-contrib
3+
cve: 2024-35231
4+
ghsa: 8c8q-2xw3-j869
5+
url: https://nvd.nist.gov/vuln/detail/CVE-2024-35231
6+
title: Denial of Service in rack-contrib via "profiler_runs" parameter
7+
date: 2024-05-27
8+
description: |
9+
rack-contrib prior to version 2.5.0 is vulnerable to a Denial of Service
10+
via the `profiler_runs` HTTP request parameter.
11+
12+
Versions Affected: < 2.5.0
13+
Fixed Versions: >= 2.5.0
14+
15+
# Impact
16+
17+
An attacker can trigger a Denial of Service by sending an HTTP request with
18+
an overly large `profiler_runs` parameter.
19+
20+
```shell
21+
curl "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"
22+
```
23+
24+
# Releases
25+
26+
The fixed releases are available at the normal locations.
27+
28+
# Workarounds
29+
30+
There are no feasible workarounds for this issue.
31+
32+
cvss_v3: 8.6
33+
patched_versions:
34+
- ">= 2.5.0"
35+
related:
36+
url:
37+
- https://github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7
38+
- https://github.com/advisories/GHSA-8c8q-2xw3-j869

0 commit comments

Comments
 (0)