CVE-2011-5036
First published: Fri Dec 30 2011(Updated: )
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jruby:jruby-parent | <1.6.5.1 | 1.6.5.1 |
| rubygems/rack | >=1.3.0<1.3.6 | 1.3.6 |
| rubygems/rack | >=1.2.0<1.2.5 | 1.2.5 |
| rubygems/rack | <1.1.3 | 1.1.3 |
| Rack-Project Rack | <=1.1.0 | |
| Rack-Project Rack | =1.2.0 | |
| Rack-Project Rack | =1.2.1 | |
| Rack-Project Rack | =1.2.2 | |
| Rack-Project Rack | =1.2.3 | |
| Rack-Project Rack | =1.2.4 | |
| Rack-Project Rack | =1.3.0 | |
| Rack-Project Rack | =1.3.1 | |
| Rack-Project Rack | =1.3.2 | |
| Rack-Project Rack | =1.3.3 | |
| Rack-Project Rack | =1.3.4 | |
| Rack-Project Rack | =1.3.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.kb.cert.org/vuls/id/903934
- https://gist.github.com/52bbc6b9cc19ce330829
- http://www.ocert.org/advisories/ocert-2011-003.html
- http://www.nruns.com/_downloads/advisory28122011.pdf
- http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
- http://www.debian.org/security/2013/dsa-2783
- https://nvd.nist.gov/vuln/detail/CVE-2011-5036
- https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml
- https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html
- https://github.com/advisories/GHSA-v6j3-7jrw-hq2p (Advisory)
Frequently Asked Questions
What is the severity of CVE-2011-5036?
CVE-2011-5036 has a moderate severity rating due to its potential for denial of service attacks.
How do I fix CVE-2011-5036?
To fix CVE-2011-5036, upgrade Rack to version 1.1.3, 1.2.5, or 1.3.6 or later.
What types of attacks does CVE-2011-5036 enable?
CVE-2011-5036 enables remote attackers to perform denial of service attacks through crafted form parameters.
Which versions of Rack are affected by CVE-2011-5036?
CVE-2011-5036 affects Rack versions before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6.
Is there a known exploit for CVE-2011-5036?
While there are no public exploits specifically documented for CVE-2011-5036, its vulnerability can be exploited to exhaust server CPU resources.
- collector/github-advisory-latest
- alias/GHSA-v6j3-7jrw-hq2p
- alias/CVE-2011-5036
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/severity
- agent/weakness
- agent/references
- agent/first-publish-date
- agent/event
- agent/description
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- collector/nvd-historical
- agent/author
- package-manager/maven
- package-manager/rubygems
- vendor/rack project
- canonical/rack-project rack
- version/rack-project rack/1.1.0
- version/rack-project rack/1.2.0
- version/rack-project rack/1.2.1
- version/rack-project rack/1.2.2
- version/rack-project rack/1.2.3
- version/rack-project rack/1.2.4
- version/rack-project rack/1.3.0
- version/rack-project rack/1.3.1
- version/rack-project rack/1.3.2
- version/rack-project rack/1.3.3
- version/rack-project rack/1.3.4
- version/rack-project rack/1.3.5