CVE-2022-44571: Inefficient Regular Expression Complexity

February 9, 2023 (updated December 8, 2023)

There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial ofservice attack vector. This header is used typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

References

discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126
github.com/advisories/GHSA-93pm-5p5f-3ghx
github.com/rack/rack/releases/tag/v3.0.4.1
nvd.nist.gov/vuln/detail/CVE-2022-44571

Detect and mitigate CVE-2022-44571 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →