Improper Neutralization of Escape, Meta, or Control Sequences

CVE-2022-30123

High

10/10

Summary

A sequence injection vulnerability exists in Rack prior to 2.0.9.1, 2.1.x prior to 2.1.4.1, and 2.2.x prior to 2.2.3.1 which could allow is a possible shell escape in the "Lint" and "CommonLogger" components of Rack.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

The software receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as escape, meta, or control character sequences when they are sent to a downstream component.

References

Advisory
Mail Thread
Pull request
Issue

Advisory Timeline

Published Dec 05, 2022

Improper Neutralization of Escape, Meta, or Control Sequences

CVE-2022-30123

Summary

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS