Inefficient Regular Expression Complexity

CVE-2022-44572

High

7.5/10

Summary

A denial of service vulnerability in the multipart parsing component of Rack versions 2.0.x prior to 2.0.9.2, 2.1.x prior to 2.1.4.2, 2.2.x prior to 2.2.6.1, and 3.0.x prior to 3.0.4.1 could allow an attacker to craft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

Advisory
Release Note

Advisory Timeline

Published Feb 09, 2023

Inefficient Regular Expression Complexity

CVE-2022-44572

Summary

CWE-1333 - Inefficient Regular Expression Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS