CVE-2024-26146
Denial of Service Vulnerability vulnerability in rack (RubyGems)
What is CVE-2024-26146 About?
This is a denial of service vulnerability in Rack due to inefficient header parsing routines. Carefully crafted HTTP headers can significantly increase the time Rack takes to parse them, leading to performance degradation or service unresponsiveness. Exploitation would likely be of moderate difficulty, requiring knowledge of HTTP header structures and Rack's parsing behavior.
Affected Software
- rack
- <2.0.9.4
- >=3.0.0, <3.0.9.1
- >=2.2.0, <2.2.8.1
- >=2.1.0, <2.1.4.4
Technical Details
The vulnerability exists in the header parsing routines of Rack, specifically affecting the 'Accept' and 'Forwarded' headers. An attacker can send specially crafted HTTP headers that exploit a computational inefficiency or a 'redos' (Regular Expression Denial of Service) type of issue within Rack's parsing logic. When these malformed headers are processed, they cause the parsing operation to consume an unexpectedly long amount of time and system resources. This prolonged processing time for individual requests can lead to resource exhaustion, system slowdowns, or a complete denial of service for legitimate users.
What is the Impact of CVE-2024-26146?
Successful exploitation may allow attackers to disrupt application availability, degrade system performance, or cause the application to become unresponsive by consuming excessive resources.
What is the Exploitability of CVE-2024-26146?
Exploiting this vulnerability requires sending specially crafted HTTP headers, such as 'Accept' or 'Forwarded' headers. The complexity is moderate, as it involves crafting specific input that triggers the parsing inefficiency, possibly akin to a Regular Expression Denial of Service (ReDoS). There are no specific authentication or privilege requirements, making it a remote attack that can be initiated by an unauthenticated user. The attack targets the application's header parsing component and can be launched against any Rack application. Systems running Ruby 3.2 or newer have built-in mitigations, reducing their vulnerability. The ease of sending HTTP requests and the potential for severe impact increase the overall risk.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-26146?
Available Upgrade Options
- rack
- <2.0.9.4 → Upgrade to 2.0.9.4
- rack
- >=2.1.0, <2.1.4.4 → Upgrade to 2.1.4.4
- rack
- >=2.2.0, <2.2.8.1 → Upgrade to 2.2.8.1
- rack
- >=3.0.0, <3.0.9.1 → Upgrade to 3.0.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
- https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
- https://security.netapp.com/advisory/ntap-20240510-0006/
- https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
- https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
- https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
- https://nvd.nist.gov/vuln/detail/CVE-2024-26146
- https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
- https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
- https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
What are Similar Vulnerabilities to CVE-2024-26146?
Similar Vulnerabilities: CVE-2024-26141 , CVE-2022-44572 , CVE-2022-2988 , CVE-2021-38102 , CVE-2023-39325
