CVE-2022-30122
Denial of Service vulnerability in rack (RubyGems)
What is CVE-2022-30122 About?
This vulnerability in Rack's multipart parsing component can lead to a Denial of Service (DoS) through carefully crafted multipart POST requests. Attackers can create requests that cause the parser to consume excessive processing time, making the application unresponsive. Exploitation is relatively easy with knowledge of the vulnerability, requiring only a malicious POST request.
Affected Software
- rack
- >=1.2, <2.0.9.1
- >=2.2, <2.2.3.1
- >=2.1, <2.1.4.1
Technical Details
The Denial of Service vulnerability in Rack's multipart parsing component (versions >= 1.2 and < 2.0.9.1, 2.1.4.1, 2.2.3.1) arises from an inefficiency in how Rack::Multipart.parse_multipart handles specific, maliciously crafted multipart POST requests. Specifically, certain structures within the multipart body, designed to be computationally expensive for the parser, can cause it to enter a state where it consumes significantly more CPU resources and time than expected for a legitimate request of similar size. This leads to a resource exhaustion condition, making the application unresponsive to other requests, effectively causing a Denial of Service. The issue can affect any application using Rack's multipart parser, including those that indirectly rely on request.POST or request.params in Rack.
What is the Impact of CVE-2022-30122?
Successful exploitation may allow attackers to render the affected application or server unresponsive, leading to a Denial of Service for legitimate users.
What is the Exploitability of CVE-2022-30122?
Exploitation of this vulnerability involves sending a carefully crafted multipart POST request to an affected application. The complexity is low, requiring only the ability to send HTTP requests to an exposed endpoint that processes multipart data. No authentication is required if the vulnerable endpoint is publicly accessible. This is a remote exploit. The primary risk factor is the public exposure of any application using affected Rack versions that processes multipart form data, as the vulnerability is triggered simply by receiving a malicious request.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-30122?
Available Upgrade Options
- rack
- >=1.2, <2.0.9.1 → Upgrade to 2.0.9.1
- rack
- >=2.1, <2.1.4.1 → Upgrade to 2.1.4.1
- rack
- >=2.2, <2.2.3.1 → Upgrade to 2.2.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729
- https://security.netapp.com/advisory/ntap-20231208-0012/
- https://nvd.nist.gov/vuln/detail/CVE-2022-30122
- https://osv.dev/vulnerability/GHSA-hxqx-xwvh-44m2
- https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729
- https://security.gentoo.org/glsa/202310-18
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml
- https://github.com/rack/rack
- https://security.netapp.com/advisory/ntap-20231208-0012
- https://security.gentoo.org/glsa/202310-18
What are Similar Vulnerabilities to CVE-2022-30122?
Similar Vulnerabilities: CVE-2022-44571 , CVE-2022-29177 , CVE-2021-22929 , CVE-2020-8184 , CVE-2020-8167
