What is the severity of CVE-2012-6109?

CVE-2012-6109 has a severity rating that indicates a denial of service vulnerability that can lead to an infinite loop.

How do I fix CVE-2012-6109?

To fix CVE-2012-6109, upgrade Rack to version 1.1.4 or later, or to the appropriate patched version for your installation.

What versions of Rack are affected by CVE-2012-6109?

CVE-2012-6109 affects Rack versions before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2.

Can CVE-2012-6109 cause a website to crash?

Yes, CVE-2012-6109 can allow remote attackers to cause a denial of service, potentially crashing the affected application.

Is CVE-2012-6109 exploitable without authentication?

CVE-2012-6109 can be exploited without authentication, making it a significant risk for publicly accessible servers.

Vulnerability/
CVE-2012-6109

medium

4.3

CWE

835

4/5/2012

1/3/2013

24/10/2017

6/8/2024

CVE-2012-6109

First published: Fri May 04 2012(Updated: )

`lib/rack/multipart.rb` in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
rubygems/rack	>=1.4.0<1.4.2	1.4.2
rubygems/rack	>=1.3.0<1.3.7	1.3.7
rubygems/rack	>=1.2.0<1.2.6	1.2.6
rubygems/rack	<1.1.4	1.1.4
redhat/rubygem-activesupport	<1:3.0.10-10.el6cf	1:3.0.10-10.el6cf
redhat/rubygem-nokogiri	<0:1.5.0-0.9.beta4.el6cf	0:1.5.0-0.9.beta4.el6cf
redhat/rubygem-rack	<1:1.3.0-3.el6cf	1:1.3.0-3.el6cf
redhat/rubygem-rdoc	<0:3.8-6.el6cf	0:3.8-6.el6cf
redhat/rubygem-rspec-rails	<0:2.6.1-7.el6cf	0:2.6.1-7.el6cf
redhat/rubygem-shoulda	<0:2.11.3-5.el6cf	0:2.11.3-5.el6cf
redhat/apache-commons-codec	<0:1.7-2.el6_3	0:1.7-2.el6_3
redhat/apache-mime4j	<0:0.6-4_redhat_1.ep6.el6.1	0:0.6-4_redhat_1.ep6.el6.1
redhat/candlepin	<0:0.7.23-1.el6_3	0:0.7.23-1.el6_3
redhat/elasticsearch	<0:0.19.9-5.el6_3	0:0.19.9-5.el6_3
redhat/katello	<0:1.2.1-15h.el6_3	0:1.2.1-15h.el6_3
redhat/katello-certs-tools	<0:1.2.1-1h.el6_3	0:1.2.1-1h.el6_3
redhat/katello-cli	<0:1.2.1-12h.el6_3	0:1.2.1-12h.el6_3
redhat/katello-configure	<0:1.2.3-3h.el6_3	0:1.2.3-3h.el6_3
redhat/katello-selinux	<0:1.2.1-2h.el6_3	0:1.2.1-2h.el6_3
redhat/lucene3	<0:3.6.1-10h.el6_3	0:3.6.1-10h.el6_3
redhat/puppet	<0:2.6.17-2.el6cf	0:2.6.17-2.el6cf
redhat/quartz	<0:2.1.5-4.el6_3	0:2.1.5-4.el6_3
redhat/rubygem-apipie-rails	<0:0.0.12-2.el6cf	0:0.0.12-2.el6cf
redhat/rubygem-mail	<0:2.3.0-3.el6cf	0:2.3.0-3.el6cf
redhat/sigar	<0:1.6.5-0.12.git58097d9h.el6_3	0:1.6.5-0.12.git58097d9h.el6_3
redhat/snappy-java	<0:1.0.4-2.el6_3	0:1.0.4-2.el6_3
redhat/thumbslug	<0:0.0.28-1.el6_3	0:0.0.28-1.el6_3
Rack-Project Rack	<=1.1.3
Rack-Project Rack	=0.1
Rack-Project Rack	=0.2
Rack-Project Rack	=0.3
Rack-Project Rack	=0.4
Rack-Project Rack	=0.9
Rack-Project Rack	=0.9.1
Rack-Project Rack	=1.0.0
Rack-Project Rack	=1.0.1
Rack-Project Rack	=1.1.0
Rack-Project Rack	=1.1.2
Rack-Project Rack	=1.2.0
Rack-Project Rack	=1.2.1
Rack-Project Rack	=1.2.2
Rack-Project Rack	=1.2.3
Rack-Project Rack	=1.2.4
Rack-Project Rack	=1.3.0
Rack-Project Rack	=1.3.1
Rack-Project Rack	=1.3.2
Rack-Project Rack	=1.3.3
Rack-Project Rack	=1.3.4
Rack-Project Rack	=1.3.5
Rack-Project Rack	=1.3.6
Rack-Project Rack	=1.4.0
Rack-Project Rack	=1.4.1

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2012-6109?
CVE-2012-6109 has a severity rating that indicates a denial of service vulnerability that can lead to an infinite loop.
How do I fix CVE-2012-6109?
To fix CVE-2012-6109, upgrade Rack to version 1.1.4 or later, or to the appropriate patched version for your installation.
What versions of Rack are affected by CVE-2012-6109?
CVE-2012-6109 affects Rack versions before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2.
Can CVE-2012-6109 cause a website to crash?
Yes, CVE-2012-6109 can allow remote attackers to cause a denial of service, potentially crashing the affected application.
Is CVE-2012-6109 exploitable without authentication?
CVE-2012-6109 can be exploited without authentication, making it a significant risk for publicly accessible servers.

collector/github-advisory-latest
alias/GHSA-h77x-m5q8-c29h
alias/CVE-2012-6109
collector/redhat-cve
collector/github-advisory
agent/type
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/redhat-bugzilla
source/Red Hat
agent/last-modified-date
agent/severity
agent/weakness
agent/references
agent/description
agent/event
agent/trending
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
collector/nvd-cve
agent/author
agent/softwarecombine
package-manager/rubygems
package-manager/redhat
vendor/rack project
canonical/rack-project rack
version/rack-project rack/1.1.3
version/rack-project rack/0.1
version/rack-project rack/0.2
version/rack-project rack/0.3
version/rack-project rack/0.4
version/rack-project rack/0.9
version/rack-project rack/0.9.1
version/rack-project rack/1.0.0
version/rack-project rack/1.0.1
version/rack-project rack/1.1.0
version/rack-project rack/1.1.2
version/rack-project rack/1.2.0
version/rack-project rack/1.2.1
version/rack-project rack/1.2.2
version/rack-project rack/1.2.3
version/rack-project rack/1.2.4
version/rack-project rack/1.3.0
version/rack-project rack/1.3.1
version/rack-project rack/1.3.2
version/rack-project rack/1.3.3
version/rack-project rack/1.3.4
version/rack-project rack/1.3.5
version/rack-project rack/1.3.6
version/rack-project rack/1.4.0
version/rack-project rack/1.4.1