CVE-2022-44572
Denial of Service vulnerability in rack (RubyGems)
What is CVE-2022-44572 About?
This is a denial of service vulnerability in Rack's multipart parsing component (RFC2183). Carefully crafted input can cause the parsing process to take an excessively long time, leading to resource exhaustion and potential service disruption. Exploitation would likely be of moderate difficulty, requiring knowledge of multipart input structures and Rack's parsing behavior.
Affected Software
- rack
- >=2.2.0.0, <2.2.6.1
- >=3.0.0.0, <3.0.4.1
- >=2.0.0, <2.0.9.2
- >=2.1.0.0, <2.1.4.2
Technical Details
The vulnerability resides in the RFC2183 multipart boundary parsing component of Rack. An attacker can create a specially crafted multipart input (e.g., from a file upload) that, when processed by Rack, triggers a computational inefficiency or a 'redos' (Regular Expression Denial of Service) type of issue within the parsing logic. This malicious input causes the parsing operation to consume an exponential or highly disproportionate amount of time and system resources, such as CPU cycles. This resource exhaustion can lead to the application becoming unresponsive or crashing, effectively causing a denial of service. This impacts virtually all Rails applications that utilize Rack for multipart post parsing.
What is the Impact of CVE-2022-44572?
Successful exploitation may allow attackers to disrupt application availability, degrade system performance, or cause the application to become unresponsive by consuming excessive resources.
What is the Exploitability of CVE-2022-44572?
Exploiting this vulnerability involves supplying carefully crafted multipart input, typically through a file upload mechanism. The complexity is moderate, as it requires an understanding of RFC2183 multipart structures and how to create input that triggers the parsing inefficiency. There are no specific authentication or privilege requirements if the multipart parsing functionality is exposed to unauthenticated users, making it a remote attack. If such functionality requires authentication, then authenticated access would be a prerequisite. The vulnerability affects any application that parses multipart posts using Rack, including nearly all Rails applications, increasing the potential attack surface. The absence of feasible workarounds means that patching is the primary mitigation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-44572?
Available Upgrade Options
- rack
- >=2.0.0, <2.0.9.2 → Upgrade to 2.0.9.2
- rack
- >=2.1.0.0, <2.1.4.2 → Upgrade to 2.1.4.2
- rack
- >=2.2.0.0, <2.2.6.1 → Upgrade to 2.2.6.1
- rack
- >=3.0.0.0, <3.0.4.1 → Upgrade to 3.0.4.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-rqv2-275x-2jq5
- https://nvd.nist.gov/vuln/detail/CVE-2022-44572
- https://hackerone.com/reports/1639882
- https://security.netapp.com/advisory/ntap-20231208-0014/
- https://github.com/rack/rack/releases/tag/v3.0.4.1
- https://hackerone.com/reports/1639882
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml
- https://github.com/rack/rack
- https://www.debian.org/security/2023/dsa-5530
- https://www.debian.org/security/2023/dsa-5530
What are Similar Vulnerabilities to CVE-2022-44572?
Similar Vulnerabilities: CVE-2024-26146 , CVE-2024-26141 , CVE-2022-2988 , CVE-2021-38102 , CVE-2023-39325
