ADVISORIES
GEM
PATCHED VERSIONS
- ~> 2.0.9, >= 2.0.9.4
- ~> 2.1.4, >= 2.1.4.4
- ~> 2.2.8, >= 2.2.8.1
- >= 3.0.9.1
DESCRIPTION
There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146.
Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept
and
Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workarounds for this issue.