CVE Vulnerabilities

CVE-2024-26146

Inefficient Regular Expression Complexity

Published: Feb 29, 2024 | Modified: Feb 14, 2025
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
RedHat/V2
RedHat/V3
5.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Ubuntu
MEDIUM
root.io logo minimus.io logo echo.ai logo

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

Weakness

The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Software

NameVendorStart VersionEnd Version
RackRack0.4 (including)2.0.9.4 (excluding)
RackRack2.1.0 (including)2.1.4.4 (excluding)
RackRack2.2.0 (including)2.2.8.1 (excluding)
Red Hat Enterprise Linux 8RedHatpcs-0:0.10.18-2.el8_10*
Red Hat Enterprise Linux 8.2 Telecommunications Update ServiceRedHatpcs-0:0.10.4-6.el8_2.5*
Red Hat Enterprise Linux 8.2 Update Services for SAP SolutionsRedHatpcs-0:0.10.4-6.el8_2.5*
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update SupportRedHatpcs-0:0.10.8-1.el8_4.5*
Red Hat Enterprise Linux 8.4 Telecommunications Update ServiceRedHatpcs-0:0.10.8-1.el8_4.5*
Red Hat Enterprise Linux 8.4 Update Services for SAP SolutionsRedHatpcs-0:0.10.8-1.el8_4.5*
Red Hat Enterprise Linux 8.6 Extended Update SupportRedHatpcs-0:0.10.12-6.el8_6.5*
Red Hat Enterprise Linux 8.8 Extended Update SupportRedHatpcs-0:0.10.15-4.el8_8.2*
Red Hat Enterprise Linux 9RedHatpcs-0:0.11.7-2.el9_4*
Red Hat Enterprise Linux 9.0 Extended Update SupportRedHatpcs-0:0.11.1-10.el9_0.5*
Red Hat Enterprise Linux 9.2 Extended Update SupportRedHatpcs-0:0.11.4-7.el9_2.1*
Red Hat Satellite 6.15 for RHEL 8RedHatrubygem-rack-0:2.2.8.1-1.el8sat*
Red Hat Satellite 6.15 for RHEL 8RedHatrubygem-rack-0:2.2.8.1-1.el8sat*
Ruby-rackUbuntubionic*
Ruby-rackUbuntuesm-apps-legacy/xenial*
Ruby-rackUbuntuesm-apps/bionic*
Ruby-rackUbuntuesm-apps/focal*
Ruby-rackUbuntuesm-apps/jammy*
Ruby-rackUbuntuesm-apps/xenial*
Ruby-rackUbuntuesm-infra-legacy/trusty*
Ruby-rackUbuntufocal*
Ruby-rackUbuntujammy*
Ruby-rackUbuntumantic*
Ruby-rackUbuntunoble*
Ruby-rackUbuntutrusty*
Ruby-rackUbuntutrusty/esm*
Ruby-rackUbuntuupstream*
Ruby-rackUbuntuxenial*

Potential Mitigations

References