{"api_version":"1","generated_at":"2026-04-22T19:36:57+00:00","cve":"CVE-2022-44572","urls":{"html":"https://cve.report/CVE-2022-44572","api":"https://cve.report/api/cve/CVE-2022-44572.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-44572","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-44572"},"summary":{"title":"CVE-2022-44572","description":"A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.","state":"PUBLIC","assigner":"support@hackerone.com","published_at":"2023-02-09 20:15:00","updated_at":"2023-12-08 22:15:00"},"problem_types":["CWE-1333"],"metrics":[],"references":[{"url":"https://www.debian.org/security/2023/dsa-5530","name":"DSA-5530","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-5530-1 ruby-rack","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.netapp.com/advisory/ntap-20231208-0014/","name":"https://security.netapp.com/advisory/ntap-20231208-0014/","refsource":"","tags":[],"title":"CVE-2022-44572 Rack Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://hackerone.com/reports/1639882","name":"https://hackerone.com/reports/1639882","refsource":"MISC","tags":[],"title":"HackerOne","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-44572","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-44572","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2022","cve_id":"44572","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rack_project","cpe5":"rack","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"ruby","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-44572","qid":"181526","title":"Debian Security Update for ruby-rack (DLA 3298-1)"},{"cve":"CVE-2022-44572","qid":"182441","title":"Debian Security Update for ruby-rack (CVE-2022-44572)"},{"cve":"CVE-2022-44572","qid":"199546","title":"Ubuntu Security Notification for Rack Vulnerabilities (USN-5910-1)"},{"cve":"CVE-2022-44572","qid":"242347","title":"Red Hat Update for Satellite 6.14 (RHSA-2023:6818)"},{"cve":"CVE-2022-44572","qid":"6000290","title":"Debian Security Update for ruby-rack (DSA 5530-1)"},{"cve":"CVE-2022-44572","qid":"691031","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for rack (95176ba5-9796-11ed-bfbf-080027f5fec9)"},{"cve":"CVE-2022-44572","qid":"753622","title":"SUSE Enterprise Linux Security Update for rubygem-rack (SUSE-SU-2023:0276-1)"},{"cve":"CVE-2022-44572","qid":"961065","title":"Rocky Linux Security Update for Satellite (RLSA-2023:6818)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2022-44572","ASSIGNER":"support@hackerone.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"https://github.com/rack/rack","version":{"version_data":[{"version_value":"2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"Denial of Service (CWE-400)"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://hackerone.com/reports/1639882","url":"https://hackerone.com/reports/1639882"},{"refsource":"DEBIAN","name":"DSA-5530","url":"https://www.debian.org/security/2023/dsa-5530"}]},"description":{"description_data":[{"lang":"eng","value":"A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted."}]}},"nvd":{"publishedDate":"2023-02-09 20:15:00","lastModifiedDate":"2023-12-08 22:15:00","problem_types":["CWE-1333"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"NONE","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*","versionStartIncluding":"2.2.0","versionEndExcluding":"2.2.4.1","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*","versionStartIncluding":"2.1.0","versionEndExcluding":"2.1.4.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*","versionEndExcluding":"2.0.9.2","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}