CVE-2023-27539
denial of service vulnerability in rack (RubyGems)
What is CVE-2023-27539 About?
This denial of service vulnerability in Rack's header parsing component allows carefully crafted input to cause excessive processing time. This can lead to a denial of service attack by consuming server resources, making it relatively easy to exploit with manipulated requests. The impact is system unavailability for affected applications.
Affected Software
- rack
- >=3.0.0, <3.0.6.1
- >=2.0.0, <2.2.6.4
Technical Details
The vulnerability exists in the header parsing component of Rack, affecting versions >= 2.0.0. Carefully crafted input, possibly malformed or excessively long HTTP headers, can trigger an inefficient parsing routine within Rack. This inefficiency causes the header parsing to consume an unexpectedly large amount of CPU time or memory. Attackers can leverage this by sending a continuous stream of such requests, leading to resource exhaustion on the server (CPU cycles, memory) and consequently causing the application (especially Rails applications, which widely use Rack) to become unresponsive or crash, resulting in a denial of service.
What is the Impact of CVE-2023-27539?
Successful exploitation may allow attackers to disrupt the normal operation of the web server or application, leading to service unavailability, and degrading performance for legitimate users.
What is the Exploitability of CVE-2023-27539?
Exploitation requires sending specially crafted HTTP requests to the target server. No authentication or specific privileges are needed, making it an unauthenticated remote attack. The complexity is low to moderate, as it involves particular header structures that trigger the parsing inefficiency. The primary prerequisite is the ability to send HTTP requests to the target. Deployments without a Regexp.timeout setting in Ruby 3.2 are particularly vulnerable, increasing the likelihood of successful exploitation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-27539?
Available Upgrade Options
- rack
- >=2.0.0, <2.2.6.4 → Upgrade to 2.2.6.4
- rack
- >=3.0.0, <3.0.6.1 → Upgrade to 3.0.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20231208-0016
- https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
- https://osv.dev/vulnerability/GHSA-c6qg-cjj8-47qp
- https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
- https://github.com/advisories/GHSA-c6qg-cjj8-47qp
- https://github.com/rack/rack
- https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
- https://security.netapp.com/advisory/ntap-20231208-0016/
- https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
What are Similar Vulnerabilities to CVE-2023-27539?
Similar Vulnerabilities: CVE-2023-40037 , CVE-2022-26125 , CVE-2018-8013 , CVE-2016-10757 , CVE-2014-0081
