CVE-2012-6109

First published: Fri May 04 2012(Updated: )

`lib/rack/multipart.rb` in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
rubygems/rack	>=1.4.0<1.4.2	1.4.2
rubygems/rack	>=1.3.0<1.3.7	1.3.7
rubygems/rack	>=1.2.0<1.2.6	1.2.6
rubygems/rack	<1.1.4	1.1.4
redhat/rubygem-activesupport	<1:3.0.10-10.el6cf	1:3.0.10-10.el6cf
redhat/rubygem-nokogiri	<0:1.5.0-0.9.beta4.el6cf	0:1.5.0-0.9.beta4.el6cf
redhat/rubygem-rack	<1:1.3.0-3.el6cf	1:1.3.0-3.el6cf
redhat/rubygem-rdoc	<0:3.8-6.el6cf	0:3.8-6.el6cf
redhat/rubygem-rspec-rails	<0:2.6.1-7.el6cf	0:2.6.1-7.el6cf
redhat/rubygem-shoulda	<0:2.11.3-5.el6cf	0:2.11.3-5.el6cf
redhat/apache-commons-codec	<0:1.7-2.el6_3	0:1.7-2.el6_3
redhat/apache-mime4j	<0:0.6-4_redhat_1.ep6.el6.1	0:0.6-4_redhat_1.ep6.el6.1
redhat/candlepin	<0:0.7.23-1.el6_3	0:0.7.23-1.el6_3
redhat/elasticsearch	<0:0.19.9-5.el6_3	0:0.19.9-5.el6_3
redhat/katello	<0:1.2.1-15h.el6_3	0:1.2.1-15h.el6_3
redhat/katello-certs-tools	<0:1.2.1-1h.el6_3	0:1.2.1-1h.el6_3
redhat/katello-cli	<0:1.2.1-12h.el6_3	0:1.2.1-12h.el6_3
redhat/katello-configure	<0:1.2.3-3h.el6_3	0:1.2.3-3h.el6_3
redhat/katello-selinux	<0:1.2.1-2h.el6_3	0:1.2.1-2h.el6_3
redhat/lucene3	<0:3.6.1-10h.el6_3	0:3.6.1-10h.el6_3
redhat/puppet	<0:2.6.17-2.el6cf	0:2.6.17-2.el6cf
redhat/quartz	<0:2.1.5-4.el6_3	0:2.1.5-4.el6_3
redhat/rubygem-apipie-rails	<0:0.0.12-2.el6cf	0:0.0.12-2.el6cf
redhat/rubygem-mail	<0:2.3.0-3.el6cf	0:2.3.0-3.el6cf
redhat/sigar	<0:1.6.5-0.12.git58097d9h.el6_3	0:1.6.5-0.12.git58097d9h.el6_3
redhat/snappy-java	<0:1.0.4-2.el6_3	0:1.0.4-2.el6_3
redhat/thumbslug	<0:0.0.28-1.el6_3	0:0.0.28-1.el6_3
Rack Project Rack	<=1.1.3
Rack Project Rack	=0.1
Rack Project Rack	=0.2
Rack Project Rack	=0.3
Rack Project Rack	=0.4
Rack Project Rack	=0.9
Rack Project Rack	=0.9.1
Rack Project Rack	=1.0.0
Rack Project Rack	=1.0.1
Rack Project Rack	=1.1.0
Rack Project Rack	=1.1.2
Rack Project Rack	=1.2.0
Rack Project Rack	=1.2.1
Rack Project Rack	=1.2.2
Rack Project Rack	=1.2.3
Rack Project Rack	=1.2.4
Rack Project Rack	=1.3.0
Rack Project Rack	=1.3.1
Rack Project Rack	=1.3.2
Rack Project Rack	=1.3.3
Rack Project Rack	=1.3.4
Rack Project Rack	=1.3.5
Rack Project Rack	=1.3.6
Rack Project Rack	=1.4.0
Rack Project Rack	=1.4.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

collector/github-advisory-latest
alias/GHSA-h77x-m5q8-c29h
alias/CVE-2012-6109
collector/redhat-cve
collector/github-advisory
collector/nvd-cve
collector/nvd-index
agent/author
agent/type
agent/softwarecombine
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
agent/last-modified-date
agent/severity
agent/weakness
agent/references
agent/tags
agent/description
agent/event
agent/trending
package-manager/rubygems
package-manager/redhat
vendor/rack project
canonical/rack project rack
version/rack project rack/1.1.3
version/rack project rack/0.1
version/rack project rack/0.2
version/rack project rack/0.3
version/rack project rack/0.4
version/rack project rack/0.9
version/rack project rack/0.9.1
version/rack project rack/1.0.0
version/rack project rack/1.0.1
version/rack project rack/1.1.0
version/rack project rack/1.1.2
version/rack project rack/1.2.0
version/rack project rack/1.2.1
version/rack project rack/1.2.2
version/rack project rack/1.2.3
version/rack project rack/1.2.4
version/rack project rack/1.3.0
version/rack project rack/1.3.1
version/rack project rack/1.3.2
version/rack project rack/1.3.3
version/rack project rack/1.3.4
version/rack project rack/1.3.5
version/rack project rack/1.3.6
version/rack project rack/1.4.0
version/rack project rack/1.4.1

CVE-2012-6109

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Company

Resources

Contact