| Name | CVE-2023-27530 |
| Description | A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-3392-1, DSA-5530-1 |
| Debian Bugs | 1032803 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ruby-rack (PTS) | bullseye (security), bullseye | 2.1.4-3+deb11u2 | fixed |
| bookworm, bookworm (security) | 2.2.6.4-1+deb12u1 | fixed | |
| sid, trixie | 2.2.7-1.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ruby-rack | source | buster | 2.0.6-3+deb10u3 | DLA-3392-1 | ||
| ruby-rack | source | bullseye | 2.1.4-3+deb11u1 | DSA-5530-1 | ||
| ruby-rack | source | (unstable) | 2.2.6.4-1 | 1032803 |
https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
https://github.com/rack/rack/commit/8e8869d625e73e16b576b6d31b50208e9ec8002f (main)
https://github.com/rack/rack/commit/9aac3757fe19cdb0476504c9245170115bec9668 (v2.2.6.3)
https://github.com/rack/rack/commit/b632718265fa5ffa547b060331341a1e216b4ffa (v2.1.4.3)
https://github.com/rack/rack/commit/5f6e2fcbbdbff2dfaa21baa693e9d23d12ac1459 (v2.0.9.3)