CVE-2024-26141
Advisory lineage Upstream: 0 Downstream: 26
Analyzed
Published: 28 Feb 2024, 23:28
Last modified:13 Feb 2025, 17:41
Vulnerability Summary
Overall Risk (default)
medium
40/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.41% LOW
0% probability +0.12%
KEV
Not listed
Ransomware
No reports
Public exploits
3 found
Dark Web
Not detected
Timeline
28 Feb 2024, 23:28
Published
Vulnerability first disclosed
13 Feb 2025, 17:41
Last Modified
Vulnerability information updated
Description
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Trends
Current EPSS score: 0.41%• Percentile: 62%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- debian•debian_linux
10.0
- rack•rack
≥ 1.3.0, < 2.2.8.1 | ≥ 3.0.0, < 3.0.9.1
References (7)
- https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
- https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
- https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
- https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
- https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
- https://security.netapp.com/advisory/ntap-20240510-0007/