What is CVE-2022-30122?

CVE-2022-30122 is a denial of service vulnerability in the multipart parsing component of Rack.

Which versions of Rack are affected by CVE-2022-30122?

Versions >= 1.2 of Rack are affected by CVE-2022-30122.

How can I fix CVE-2022-30122?

To fix CVE-2022-30122, update to the fixed versions: 2.0.9.1, 2.1.4.1, or 2.2.3.1 of Rack.

What is the severity of CVE-2022-30122?

CVE-2022-30122 has a severity rating of 7.5 (High).

Where can I find more information about CVE-2022-30122?

You can find more information about CVE-2022-30122 in the references provided: [GitHub Advisory](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2099520), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2022:7242).

Vulnerability/
CVE-2022-30122

high

7.5

CWE

400 1333 770

27/5/2022

5/12/2022

21/11/2024

CVE-2022-30122

First published: Fri May 27 2022(Updated: )

A denial of service flaw was found in ruby-rack. An attacker crafting multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a denial of service.

Credit: support@hackerone.com support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
redhat/rubygem-rack	<0:2.2.4-1.el7	0:2.2.4-1.el7
redhat/tfm-rubygem-rack	<0:2.2.3.1-1.el7	0:2.2.3.1-1.el7
redhat/rubygem-rack	<0:2.2.3.1-1.el8	0:2.2.3.1-1.el8
Rack Project Rack	>=1.2<2.0.9.1
Rack Project Rack	>=2.1.0<2.1.4.1
Rack Project Rack	>=2.2.0<2.2.3.1
rubygems/rack	>=2.2<=2.2.3.0	2.2.3.1
rubygems/rack	>=2.1<=2.1.4.0	2.1.4.1
rubygems/rack	>=1.2<=2.0.9.0	2.0.9.1
redhat/rubygem-rack	<2.0.9.1	2.0.9.1
redhat/rubygem-rack	<2.1.4.1	2.1.4.1
redhat/rubygem-rack	<2.2.3.1	2.2.3.1
Debian Debian Linux	=11.0
debian/ruby-rack		2.1.4-3+deb11u2 2.2.6.4-1+deb12u1 2.2.7-1.1

Remedy

https://github.com/rack/rack/commit/d286516cbd58fbb2ad6944ce9040e9ba96d9371a

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-30122?
CVE-2022-30122 is a denial of service vulnerability in the multipart parsing component of Rack.
Which versions of Rack are affected by CVE-2022-30122?
Versions >= 1.2 of Rack are affected by CVE-2022-30122.
How can I fix CVE-2022-30122?
To fix CVE-2022-30122, update to the fixed versions: 2.0.9.1, 2.1.4.1, or 2.2.3.1 of Rack.
What is the severity of CVE-2022-30122?
CVE-2022-30122 has a severity rating of 7.5 (High).
Where can I find more information about CVE-2022-30122?
You can find more information about CVE-2022-30122 in the references provided: [GitHub Advisory](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml), [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2099520), [Red Hat Security Advisory](https://access.redhat.com/errata/RHSA-2022:7242).

collector/redhat-cve
collector/nvd-index
collector/github-advisory-latest
alias/GHSA-hxqx-xwvh-44m2
alias/CVE-2022-30122
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/github-advisory
source/GitHub
agent/software-canonical-lookup
agent/weakness
agent/remedy
agent/author
agent/severity
collector/redhat-bugzilla
source/Red Hat
collector/nvd-api
agent/software-canonical-lookup-request
collector/security-tracker-debian
source/Debian
agent/references
agent/softwarecombine
agent/tags
collector/usn-cve
source/Ubuntu
agent/description
agent/event
collector/mitre-cve
source/MITRE
collector/nvd-cve
source/NVD
agent/last-modified-date
agent/trending
package-manager/redhat
vendor/rack project
canonical/rack project rack
version/rack project rack/1.2
version/rack project rack/2.1.0
version/rack project rack/2.2.0
package-manager/rubygems
vendor/debian
canonical/debian debian linux
version/debian debian linux/11.0
package-manager/debian