{ "threat_severity" : "Moderate", "public_date" : "2024-02-22T00:00:00Z", "bugzilla" : { "description" : "rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing", "id" : "2265595", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2265595" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-1333", "details" : [ "Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.", "A denial of service (DoS) vulnerability was found in rubygem-rack in how it parses Rack Header. Carefully crafted headers can cause header parsing in Rack to take longer than expected, resulting in a possible denial of service issue. Accept and Forwarded headers are impacted." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:2953", "cpe" : "cpe:/a:redhat:enterprise_linux:8::highavailability", "package" : "pcs-0:0.10.18-2.el8_10" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date" : "2024-04-23T00:00:00Z", "advisory" : "RHSA-2024:2007", "cpe" : "cpe:/a:redhat:rhel_tus:8.2::highavailability", "package" : "pcs-0:0.10.4-6.el8_2.5" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date" : "2024-04-23T00:00:00Z", "advisory" : "RHSA-2024:2007", "cpe" : "cpe:/a:redhat:rhel_e4s:8.2::highavailability", "package" : "pcs-0:0.10.4-6.el8_2.5" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2584", "cpe" : "cpe:/a:redhat:rhel_aus:8.4::highavailability", "package" : "pcs-0:0.10.8-1.el8_4.5" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2584", "cpe" : "cpe:/a:redhat:rhel_tus:8.4::highavailability", "package" : "pcs-0:0.10.8-1.el8_4.5" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2584", "cpe" : "cpe:/a:redhat:rhel_e4s:8.4::highavailability", "package" : "pcs-0:0.10.8-1.el8_4.5" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2024-05-28T00:00:00Z", "advisory" : "RHSA-2024:3431", "cpe" : "cpe:/a:redhat:rhel_eus:8.6::highavailability", "package" : "pcs-0:0.10.12-6.el8_6.5" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2581", "cpe" : "cpe:/a:redhat:rhel_eus:8.8::highavailability", "package" : "pcs-0:0.10.15-4.el8_8.2" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2113", "cpe" : "cpe:/a:redhat:enterprise_linux:9::highavailability", "package" : "pcs-0:0.11.7-2.el9_4" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1841", "cpe" : "cpe:/a:redhat:rhel_eus:9.0::highavailability", "package" : "pcs-0:0.11.1-10.el9_0.5" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2024-04-16T00:00:00Z", "advisory" : "RHSA-2024:1846", "cpe" : "cpe:/a:redhat:rhel_eus:9.2::highavailability", "package" : "pcs-0:0.11.4-7.el9_2.1" }, { "product_name" : "Red Hat Satellite 6.15 for RHEL 8", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10806", "cpe" : "cpe:/a:redhat:satellite:6.15::el8", "package" : "rubygem-rack-0:2.2.8.1-1.el8sat" }, { "product_name" : "Red Hat Satellite 6.15 for RHEL 8", "release_date" : "2024-12-04T00:00:00Z", "advisory" : "RHSA-2024:10806", "cpe" : "cpe:/a:redhat:satellite_capsule:6.15::el8", "package" : "rubygem-rack-0:2.2.8.1-1.el8sat" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Not affected", "package_name" : "openshift-logging/fluentd-rhel9", "cpe" : "cpe:/a:redhat:logging:5" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Will not fix", "package_name" : "3scale-amp-backend-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Will not fix", "package_name" : "3scale-amp-system-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat 3scale API Management Platform 2", "fix_state" : "Fix deferred", "package_name" : "3scale-amp-zync-container", "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "pcs", "cpe" : "cpe:/o:redhat:enterprise_linux:7" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-26146\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26146\nhttps://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942" ], "name" : "CVE-2024-26146", "mitigation" : { "value" : "No mitigation is currently available for this vulnerability. The recommendation is to perform updates as soon as they are available.", "lang" : "en:us" }, "csaw" : false }