Inefficient Regular Expression Complexity
CVE-2022-44571
Summary
There is a denial of service vulnerability in the "Content-Disposition" parsingcomponent of Rack versions 2.0.x prior to 2.0.9.2, 2.1.x prior to 2.1.4.2, 2.2.x prior to 2.2.6.1, and 3.0.0.x prior to 3.0.4.1. This could allow an attacker to craft an input that can cause "Content-Disposition" header parsing in Rack to take an unexpected amount of time, possibly resulting in a Denial of Service attack vector. This header is typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.
- LOW
- NETWORK
- NONE
- UNCHANGED
- NONE
- NONE
- NONE
- HIGH
CWE-1333 - Inefficient Regular Expression Complexity
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
References
Advisory Timeline
- Published