[CVE-2022-30122] Denial of Service Vulnerability in Rack Multipart Parsing

911 views
Skip to first unread message

Aaron Patterson

unread,
May 27, 2022, 11:48:11 AM5/27/22
to ruby-sec...@googlegroups.com, rubyonrail...@googlegroups.com

There is a possible denial of service vulnerability in the multipart parsing

component of Rack.  This vulnerability has been assigned the CVE identifier

CVE-2022-30122.


Versions Affected:  >= 1.2

Not affected:       < 1.2

Fixed Versions:     2.0.9.1, 2.1.4.1, 2.2.3.1


Impact

------

Carefully crafted multipart POST requests can cause Rack's multipart parser to

take much longer than expected, leading to a possible denial of service

vulnerability.


Impacted code will use Rack's multipart parser to parse multipart posts.  This

includes directly using the multipart parser like this:


```

params = Rack::Multipart.parse_multipart(env)

```


But it also includes reading POST data from a Rack request object like this:


```

p request.POST # read POST data

p request.params # reads both query params and POST data

```


All users running an affected release should either upgrade or use one of the

workarounds immediately.


Releases

--------

The FIXED releases are available at the normal locations.


Workarounds

-----------

There are no feasible workarounds for this issue.


Patches

-------

To aid users who aren't able to upgrade immediately we have provided patches for

the two supported release series. They are in git-am format and consist of a

single changeset.


* 2-0-multipart-redos.patch - Patch for 2.0 series

* 2-1-multipart-redos.patch - Patch for 2.1 series

* 2-2-multipart-redos.patch - Patch for 2.2 series


Credits

-------


Thanks to [@ooooooo_q](https://hackerone.com/ooooooo_q?type=user) for reporting this!

2-2-multipart-redos.patch
2-1-multipart-redos.patch
2-0-multipart-redos.patch
Reply all
Reply to author
Forward
0 new messages