RubySec

Providing security resources for the Ruby community

CVE-2012-6109 (rack): Rack Regular Expressions Engine Content-Disposition Header Parsing Infinite Loop Remote DoS

ADVISORIES

GEM

rack

SEVERITY

CVSS v2: 4.3

PATCHED VERSIONS

  • ~> 1.1.4
  • ~> 1.2.6
  • ~> 1.3.7
  • >= 1.4.2

DESCRIPTION

Rack contains a flaw in the Regular Expressions Engine that may allow a remote denial of service. The issue is triggered when parsing context-disposition headers. With a specially crafted header, a remote attacker can cause an infinite loop, which will result in a loss of availability for the webserver.