CVE-2022-44572 — Denial of service via multipart parsing in Rack

Description

A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

How to fix CVE-2022-44572

To remediate CVE-2022-44572, upgrade the affected package to a fixed version below.

—upgrade to 2.1.4-3+deb11u1 or later
—upgrade to 2.0.9.2 or later

Is CVE-2022-44572 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.1.4-3+deb11u1
>= 2.0.0, < 2.0.9.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-44572
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-44572
PATCHgithub.com/rack/rack
WEBgithub.com/rack/rack/releases/tag/v3.0.4.1
WEB