CVE-2012-6109
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
4.3
Description
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.4.1-2.1 |
| sid | Fixed | 1.4.1-2.1 |
| forky | Fixed | 1.4.1-2.1 |
| bullseye | Fixed | 1.4.1-2.1 |
| bookworm | Fixed | 1.4.1-2.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rack_project | rack | {"endIncluding":"1.1.3"} | |
| rack_project | rack | 0.1 | |
| rack_project | rack | 0.2 | |
| rack_project | rack | 0.3 | |
| rack_project | rack | 0.4 | |
| rack_project | rack | 0.9 | |
| rack_project | rack | 0.9.1 | |
| rack_project | rack | 1.0.0 | |
| rack_project | rack | 1.0.1 | |
| rack_project | rack | 1.1.0 | |
| rack_project | rack | 1.1.2 | |
| rack_project | rack | 1.2.0 | |
| rack_project | rack | 1.2.1 | |
| rack_project | rack | 1.2.2 | |
| rack_project | rack | 1.2.3 | |
| rack_project | rack | 1.2.4 | |
| rack_project | rack | 1.3.0 | |
| rack_project | rack | 1.3.1 | |
| rack_project | rack | 1.3.2 | |
| rack_project | rack | 1.3.3 | |
| rack_project | rack | 1.3.4 | |
| rack_project | rack | 1.3.5 | |
| rack_project | rack | 1.3.6 | |
| rack_project | rack | 1.4.0 | |
| rack_project | rack | 1.4.1 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2012-6109
- http://rack.github.com/
- http://rhn.redhat.com/errata/RHSA-2013-0544.html
- http://rhn.redhat.com/errata/RHSA-2013-0548.html
- https://bugzilla.redhat.com/show_bug.cgi?id=895277
- https://github.com/rack/rack/blob/master/README.rdoc
- https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5
- https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
- https://access.redhat.com/errata/RHSA-2013:0544
- https://access.redhat.com/security/cve/CVE-2012-6109
- https://github.com/rack/rack
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2012-6109.yml
- https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ
- https://rhn.redhat.com/errata/RHSA-2013-0544.html
- https://security-tracker.debian.org/tracker/CVE-2012-6109
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.