RubySec

Providing security resources for the Ruby community

CVE-2011-5036 (rack): Rack Hash Collision Form Parameter Parsing Remote DoS

ADVISORIES

GEM

rack

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • ~> 1.1.3
  • ~> 1.2.5
  • ~> 1.3.6
  • >= 1.4.0

DESCRIPTION

Rack contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.