Rack 'Rack::Auth::AbstractRequest' CVE-2013-0184 Denial of Service Vulnerability

Bugtraq ID:	58769
Class:	Unknown
CVE:	CVE-2013-0184
Remote:	Yes
Local:	No
Published:	Jan 16 2013 12:00AM
Updated:	Apr 13 2015 10:16PM
Credit:	Paul Rogers and Vendor
Vulnerable:	SuSE Cloud 1.0 Redhat Subscription Asset Manager 0 Redhat CloudForms 0 Gentoo Linux Debian Linux 6.0 sparc Debian Linux 6.0 s/390 Debian Linux 6.0 powerpc Debian Linux 6.0 mips Debian Linux 6.0 ia-64 Debian Linux 6.0 ia-32 Debian Linux 6.0 arm Debian Linux 6.0 amd64 Christian Neukirchen Rack 1.4.3 Christian Neukirchen Rack 1.4.2 Christian Neukirchen Rack 1.3.8 Christian Neukirchen Rack 1.3.7 Christian Neukirchen Rack 1.2.6 Christian Neukirchen Rack 1.2 Christian Neukirchen Rack 1.1.4 Christian Neukirchen Rack 1.1 Christian Neukirchen Rack 1.4.0 Christian Neukirchen Rack 1.3.6 Christian Neukirchen Rack 1.3.5 Christian Neukirchen Rack 1.2.5 Christian Neukirchen Rack 1.2.4 Christian Neukirchen Rack 1.1.3 Christian Neukirchen Rack 1.1.2
Not Vulnerable:	Christian Neukirchen Rack 1.4.4 Christian Neukirchen Rack 1.3.9 Christian Neukirchen Rack 1.2.7 Christian Neukirchen Rack 1.1.5

Rack 'Rack::Auth::AbstractRequest' CVE-2013-0184 Denial of Service Vulnerability

Rack is prone to a denial-of-service vulnerability.

Attackers can exploit this issue to cause denial-of-service conditions.

Note: This issue was previously discussed in BID 57430 (Rack Multiple Denial of Service Vulnerabilities), but has been moved to its own record to better document it.

Versions prior to Rack 1.1.5, 1.2.7, 1.3.9, and 1.4.4 are vulnerable.

Rack 'Rack::Auth::AbstractRequest' CVE-2013-0184 Denial of Service Vulnerability

Attackers can use readily available tools to exploit this issue.

Rack 'Rack::Auth::AbstractRequest' CVE-2013-0184 Denial of Service Vulnerability

Solution:
Updates are available. Please see the references or vendor advisory for more information.

Rack 'Rack::Auth::AbstractRequest' CVE-2013-0184 Denial of Service Vulnerability

References:

• SUSE-SU-2013:0508-1: important: Security update for rubygem-merb-core (SUSE)
  
• [SEC][ANN] Rack 1.4.4, a modular Ruby webserver interface (Christian Neukirchen)
  
• Bug 895384 - (CVE-2013-0184) CVE-2013-0184 rubygem-rack: Rack::Auth::AbstractReq (Red Hat Bugzilla)
  
• bug report and unit test for infinite loop parsing Content-Disposion header (Paul Rogers)
  
• Important: Subscription Asset Manager 1.2 update (Red Hat)
  
• Moderate: CloudForms Common 1.1.2 update (Red Hat)
  
• Rack Home Page (Christian Neukirchen)
  
• [SEC][ANN] Rack 1.3.8, a modular Ruby webserver interface (Christian Neukirchen)