ADVISORIES

CVE-2024-26141 (NVD)
GHSA-xj5v-6v4g-jfw6
Vendor Advisory

GEM

UNAFFECTED VERSIONS

< 1.3.0

PATCHED VERSIONS

~> 2.2.8, >= 2.2.8.1
>= 3.0.9.1

DESCRIPTION

There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue.

Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications).

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

https://github.com/rack/rack/releases/tag/v3.0.9.1
https://github.com/rack/rack/releases/tag/v2.2.8.1
https://nvd.nist.gov/vuln/detail/CVE-2024-25141
https://access.redhat.com/security/cve/cve-2024-26141
https://ubuntu.com/security/CVE-2024-26141

RubySec

CVE-2024-26141 (rack): Possible DoS Vulnerability with Range Header in Rack