What is CVE-2022-30123?

CVE-2022-30123 is a shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack.

What is the severity of CVE-2022-30123?

CVE-2022-30123 has a severity score of 10, which is classified as critical.

Which versions of Rack are affected by CVE-2022-30123?

All versions of Rack are affected by CVE-2022-30123.

How can I fix CVE-2022-30123?

To fix CVE-2022-30123, update to the fixed versions: 2.0.9.1, 2.1.4.1, or 2.2.3.1.

Where can I find more information about CVE-2022-30123?

You can find more information about CVE-2022-30123 in the following references: [Link 1](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2099525), [Link 3](https://rubygems.org/gems/rack).

Vulnerability/
CVE-2022-30123

critical

CWE

150 179

27/5/2022

5/12/2022

21/11/2024

CVE-2022-30123

First published: Fri May 27 2022(Updated: )

A flaw was found in ruby gem-rack. This flaw allows a malicious actor to craft requests that can cause shell escape sequences to be written to the terminal via rack's `Lint` middleware and `CommonLogger` middleware. This issue can leverage these escape sequences to execute commands in the victim's terminal.

Credit: support@hackerone.com support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
redhat/pcs	<0:0.9.169-3.el7_9.3	0:0.9.169-3.el7_9.3
redhat/rubygem-rack	<0:2.2.4-1.el7	0:2.2.4-1.el7
Rack Project Rack	<2.0.9.1
Rack Project Rack	>=2.1.0<2.1.4.1
Rack Project Rack	>=2.2.0<2.2.3.1
Debian Debian Linux	=11.0
rubygems/rack	>=2.2<=2.2.3.0	2.2.3.1
rubygems/rack	>=2.1<=2.1.4.0	2.1.4.1
rubygems/rack	<=2.0.9.0	2.0.9.1
redhat/rubygem-rack	<2.0.9.1	2.0.9.1
redhat/rubygem-rack	<2.1.4.1	2.1.4.1
redhat/rubygem-rack	<2.2.3.1	2.2.3.1
debian/ruby-rack		2.1.4-3+deb11u2 2.2.6.4-1+deb12u1 2.2.7-1.1

Remedy

https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2022-30123?
CVE-2022-30123 is a shell escape sequence injection vulnerability in the Lint and CommonLogger components of Rack.
What is the severity of CVE-2022-30123?
CVE-2022-30123 has a severity score of 10, which is classified as critical.
Which versions of Rack are affected by CVE-2022-30123?
All versions of Rack are affected by CVE-2022-30123.
How can I fix CVE-2022-30123?
To fix CVE-2022-30123, update to the fixed versions: 2.0.9.1, 2.1.4.1, or 2.2.3.1.
Where can I find more information about CVE-2022-30123?
You can find more information about CVE-2022-30123 in the following references: [Link 1](https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2099525), [Link 3](https://rubygems.org/gems/rack).

collector/redhat-cve
collector/nvd-index
collector/nvd-api
collector/github-advisory-latest
alias/GHSA-wq4h-7r42-5hrr
alias/CVE-2022-30123
agent/type
agent/first-publish-date
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/github-advisory
source/GitHub
agent/weakness
agent/remedy
agent/severity
agent/author
collector/security-tracker-debian
source/Debian
collector/mitre-cve
source/MITRE
agent/references
agent/softwarecombine
collector/usn-cve
source/Ubuntu
agent/description
agent/event
collector/nvd-cve
source/NVD
agent/last-modified-date
agent/trending
agent/tags
agent/source
package-manager/redhat
vendor/rack project
canonical/rack project rack
version/rack project rack/2.1.0
version/rack project rack/2.2.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/11.0
package-manager/rubygems
package-manager/debian