What is the vulnerability ID for this vulnerability?

The vulnerability ID for this vulnerability is CVE-2022-44572.

What is the severity of CVE-2022-44572?

The severity of CVE-2022-44572 is high (7.5).

Which versions of Rack are affected by CVE-2022-44572?

Versions >= 2.0.0 of Rack are affected by CVE-2022-44572.

How can I fix CVE-2022-44572?

To fix CVE-2022-44572, update to one of the fixed versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, or 3.0.0.1.

Where can I find more information about CVE-2022-44572?

You can find more information about CVE-2022-44572 on the following websites: [HackerOne](https://hackerone.com/reports/1639882), [Debian Security Advisory](https://www.debian.org/security/2023/dsa-5530), [GitHub Commit](https://github.com/rack/rack/commit/dc50f8e495f67eb933b1fc33ebee550908d945e6).

Vulnerability/
CVE-2022-44572

high

7.5

CWE

1333 400

18/1/2023

9/2/2023

21/11/2024

CVE-2022-44572

First published: Wed Jan 18 2023(Updated: )

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Credit: support@hackerone.com support@hackerone.com support@hackerone.com

Affected Software	Affected Version	How to fix
Rack Project Rack	<2.0.9.2
Rack Project Rack	>=2.1.0<2.1.4.2
Rack Project Rack	>=2.2.0<2.2.4.1
rubygems/rack	>=3.0.0.0<3.0.4.1	3.0.4.1
rubygems/rack	>=2.2.0.0<2.2.6.1	2.2.6.1
rubygems/rack	>=2.1.0.0<2.1.4.2	2.1.4.2
rubygems/rack	>=2.0.0<2.0.9.2	2.0.9.2
redhat/rubygem-rack	<2.0.9.2	2.0.9.2
redhat/rubygem-rack	<2.1.4.2	2.1.4.2
redhat/rubygem-rack	<2.2.6.1	2.2.6.1
redhat/rubygem-rack	<3.0.4.1	3.0.4.1
debian/ruby-rack		2.1.4-3+deb11u2 2.2.6.4-1+deb12u1 2.2.7-1.1

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the vulnerability ID for this vulnerability?
The vulnerability ID for this vulnerability is CVE-2022-44572.
What is the severity of CVE-2022-44572?
The severity of CVE-2022-44572 is high (7.5).
Which versions of Rack are affected by CVE-2022-44572?
Versions >= 2.0.0 of Rack are affected by CVE-2022-44572.
How can I fix CVE-2022-44572?
To fix CVE-2022-44572, update to one of the fixed versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, or 3.0.0.1.
Where can I find more information about CVE-2022-44572?
You can find more information about CVE-2022-44572 on the following websites: [HackerOne](https://hackerone.com/reports/1639882), [Debian Security Advisory](https://www.debian.org/security/2023/dsa-5530), [GitHub Commit](https://github.com/rack/rack/commit/dc50f8e495f67eb933b1fc33ebee550908d945e6).

collector/nvd-index
collector/github-advisory-latest
alias/GHSA-rqv2-275x-2jq5
alias/CVE-2022-44572
collector/github-advisory
collector/nvd-api
agent/weakness
agent/type
agent/first-publish-date
agent/author
agent/severity
collector/redhat-bugzilla
source/Red Hat
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/references
collector/launchpad-cve
source/Launchpad
collector/security-tracker-debian
source/Debian
agent/tags
agent/softwarecombine
collector/usn-cve
source/Ubuntu
agent/description
agent/event
collector/nvd-cve
source/NVD
agent/last-modified-date
agent/trending
vendor/rack project
canonical/rack project rack
version/rack project rack/2.1.0
version/rack project rack/2.2.0
package-manager/rubygems
package-manager/redhat
package-manager/debian