Allele Security Alert
ASA-2018-00033
Identifier(s)
ASA-2018-00033, CVE-2018-16470
Title
DoS vulnerability in multipart parser
Product(s)
Rack
Affected version(s)
Rack 2.0.4, 2.0.5
Fixed version(s)
Rack 2.0.6
Proof of concept
Unknown
Description
There is a possible DoS vulnerability in the multipart parser in Rack. Carefully crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.
Impacted code can look something like this:
``` Rack::Request.new(env).params ```
But any code that uses the multi-part parser may be vulnerable.
Rack users that have manually adjusted the buffer size in the multipart parser may be vulnerable as well.
Technical details
Unknown
Credits
Bo Jeanes and Jack “chendo” Chen
Reference(s)
[CVE-2018-16470] Possible DoS vulnerability in Rack
https://seclists.org/oss-sec/2018/q4/128
[CVE-2018-16470] Possible DoS vulnerability in Rack
https://groups.google.com/forum/#!msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ
CVE-2018-16470
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16470
CVE-2018-16470
https://nvd.nist.gov/vuln/detail/CVE-2018-16470
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 6, 2019