There is a possible denial of service vulnerability in the multipart parsing
component of Rack. This vulnerability has been assigned the CVE identifier
CVE-2022-30122.
Versions Affected: >= 1.2
Not affected: < 1.2
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
Impact
------
Carefully crafted multipart POST requests can cause Rack's multipart parser to
take much longer than expected, leading to a possible denial of service
vulnerability.
Impacted code will use Rack's multipart parser to parse multipart posts. This
includes directly using the multipart parser like this:
```
params = Rack::Multipart.parse_multipart(env)
```
But it also includes reading POST data from a Rack request object like this:
```
p request.POST # read POST data
p request.params # reads both query params and POST data
```
All users running an affected release should either upgrade or use one of the
workarounds immediately.
Releases
--------
The FIXED releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 2-0-multipart-redos.patch - Patch for 2.0 series
* 2-1-multipart-redos.patch - Patch for 2.1 series
* 2-2-multipart-redos.patch - Patch for 2.2 series
Credits
-------
Thanks to [@ooooooo_q](https://hackerone.com/ooooooo_q?type=user) for reporting this!