Vulnerability-Lookup

CVE-2022-30122 (GCVE-0-2022-30122)

Vulnerability from cvelistv5 – Published: 2022-12-05 00:00 – Updated: 2024-11-19 20:16

Summary

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.

Severity ?

No CVSS data available.

CWE

CWE-400 - Denial of Service (CWE-400)

Assigner

hackerone

References

URL

	Vendor	Product	Version
	n/a	https://github.com/rack/rack	Affected: 2.0.9.1, 2.1.4.1, 2.2.3.1

CERTFR-2022-AVI-506

Vulnerability from certfr_avis - Published: 2022-05-30 - Updated: 2022-05-30

De multiples vulnérabilités ont été découvertes dans Ruby on Rails . Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 2.1.x antérieures à 2.1.4.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions antérieures à 2.0.9.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 2.2.x antérieures à 2.2.3.1

References

Title

Publication Time

GHSA-HXQX-XWVH-44M2

Vulnerability from github – Published: 2022-05-27 16:36 – Updated: 2023-08-28 13:59

Summary

Denial of Service Vulnerability in Rack Multipart Parsing

Details

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122.

Versions Affected: >= 1.2 Not affected: < 1.2 Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1

Impact

Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.

Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this:

params = Rack::Multipart.parse_multipart(env)

But it also includes reading POST data from a Rack request object like this:

p request.POST # read POST data
p request.params # reads both query params and POST data

All users running an affected release should either upgrade or use one of the workarounds immediately.

Workarounds

There are no feasible workarounds for this issue.

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.0.9.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.2"
            },
            {
              "fixed": "2.0.9.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.1.4.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.1"
            },
            {
              "fixed": "2.1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.2.3.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "rack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.2"
            },
            {
              "fixed": "2.2.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-30122"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-05-27T16:36:52Z",
    "nvd_published_at": "2022-12-05T22:15:00Z",
    "severity": "HIGH"
  },
  "details": "There is a possible denial of service vulnerability in the multipart parsing component of Rack.  This vulnerability has been assigned the CVE identifier CVE-2022-30122.\n\nVersions Affected:  \u003e= 1.2\nNot affected:       \u003c 1.2\nFixed Versions:     2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted multipart POST requests can cause Rack\u0027s multipart parser to take much longer than expected, leading to a possible denial of service vulnerability.\n\nImpacted code will use Rack\u0027s multipart parser to parse multipart posts.  This includes directly using the multipart parser like this:\n\n```\nparams = Rack::Multipart.parse_multipart(env)\n```\n\nBut it also includes reading POST data from a Rack request object like this:\n\n```\np request.POST # read POST data\np request.params # reads both query params and POST data\n```\n\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\n\n## Workarounds\nThere are no feasible workarounds for this issue.\n",
  "id": "GHSA-hxqx-xwvh-44m2",
  "modified": "2023-08-28T13:59:06Z",
  "published": "2022-05-27T16:36:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-30122"
    },
    {
      "type": "WEB",
      "url": "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rack/rack"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202310-18"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20231208-0012"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5530"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Denial of Service Vulnerability in Rack Multipart Parsing"
}

GSD-2022-30122

Vulnerability from gsd - Updated: 2022-06-27 00:00

Details

There is a possible denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-30122. Versions Affected: >= 1.2 Not affected: < 1.2 Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1 ## Impact Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack's multipart parser to parse multipart posts. This includes directly using the multipart parser like this: ``` params = Rack::Multipart.parse_multipart(env) ``` But it also includes reading POST data from a Rack request object like this: ``` p request.POST # read POST data p request.params # reads both query params and POST data ``` All users running an affected release should either upgrade or use one of the workarounds immediately. ## Workarounds There are no feasible workarounds for this issue.

Aliases

CVE-2022-30122

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2022-30122",
    "id": "GSD-2022-30122",
    "references": [
      "https://www.suse.com/security/cve/CVE-2022-30122.html",
      "https://advisories.mageia.org/CVE-2022-30122.html",
      "https://access.redhat.com/errata/RHSA-2022:7242",
      "https://ubuntu.com/security/CVE-2022-30122"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "rack",
            "purl": "pkg:gem/rack"
          }
        }
      ],
      "aliases": [
        "CVE-2022-30122",
        "GHSA-hxqx-xwvh-44m2"
      ],
      "details": "There is a possible denial of service vulnerability in the multipart parsing\ncomponent of Rack.  This vulnerability has been assigned the CVE identifier\nCVE-2022-30122.\n\nVersions Affected:  \u003e= 1.2\nNot affected:       \u003c 1.2\nFixed Versions:     2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted multipart POST requests can cause Rack\u0027s multipart parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Rack\u0027s multipart parser to parse multipart posts.  This\nincludes directly using the multipart parser like this:\n\n```\nparams = Rack::Multipart.parse_multipart(env)\n```\n\nBut it also includes reading POST data from a Rack request object like this:\n\n```\np request.POST # read POST data\np request.params # reads both query params and POST data\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nThere are no feasible workarounds for this issue.\n",
      "id": "GSD-2022-30122",
      "modified": "2022-06-27T00:00:00.000Z",
      "published": "2022-06-27T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.5,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Denial of Service Vulnerability in Rack Multipart Parsing"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "support@hackerone.com",
        "ID": "CVE-2022-30122",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "https://github.com/rack/rack",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "2.0.9.1, 2.1.4.1, 2.2.3.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "A possible denial of service vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 in the multipart parsing component of Rack."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "Denial of Service (CWE-400)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729",
            "refsource": "MISC",
            "url": "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729"
          },
          {
            "name": "DSA-5530",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2023/dsa-5530"
          },
          {
            "name": "GLSA-202310-18",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202310-18"
          },
          {
            "name": "https://security.netapp.com/advisory/ntap-20231208-0012/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20231208-0012/"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-30122",
      "cvss_v3": 7.5,
      "date": "2022-06-27",
      "description": "There is a possible denial of service vulnerability in the multipart parsing\ncomponent of Rack.  This vulnerability has been assigned the CVE identifier\nCVE-2022-30122.\n\nVersions Affected:  \u003e= 1.2\nNot affected:       \u003c 1.2\nFixed Versions:     2.0.9.1, 2.1.4.1, 2.2.3.1\n\n## Impact\nCarefully crafted multipart POST requests can cause Rack\u0027s multipart parser to\ntake much longer than expected, leading to a possible denial of service\nvulnerability.\n\nImpacted code will use Rack\u0027s multipart parser to parse multipart posts.  This\nincludes directly using the multipart parser like this:\n\n```\nparams = Rack::Multipart.parse_multipart(env)\n```\n\nBut it also includes reading POST data from a Rack request object like this:\n\n```\np request.POST # read POST data\np request.params # reads both query params and POST data\n```\n\nAll users running an affected release should either upgrade or use one of the\nworkarounds immediately.\n\n## Workarounds\nThere are no feasible workarounds for this issue.\n",
      "gem": "rack",
      "ghsa": "hxqx-xwvh-44m2",
      "patched_versions": [
        "~\u003e 2.0.9, \u003e= 2.0.9.1",
        "~\u003e 2.1.4, \u003e= 2.1.4.1",
        "\u003e= 2.2.3.1"
      ],
      "title": "Denial of Service Vulnerability in Rack Multipart Parsing",
      "unaffected_versions": [
        "\u003c 1.2"
      ],
      "url": "https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=1.2 \u003c2.0.9.1||\u003e=2.1.0 \u003c2.1.4.1||\u003e=2.2.0 \u003c2.2.3.1",
          "affected_versions": "All versions starting from 1.2 before 2.0.9.1, all versions starting from 2.1.0 before 2.1.4.1, all versions starting from 2.2.0 before 2.2.3.1",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-1333",
            "CWE-937"
          ],
          "date": "2023-07-21",
          "description": "A possible denial of service vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 in the multipart parsing component of Rack.",
          "fixed_versions": [
            "2.0.9.1",
            "2.1.4.1",
            "2.2.3.1"
          ],
          "identifier": "CVE-2022-30122",
          "identifiers": [
            "CVE-2022-30122",
            "GHSA-hxqx-xwvh-44m2",
            "GMS-2022-1643"
          ],
          "not_impacted": "All versions before 1.2, all versions starting from 2.0.9.1 before 2.1.0, all versions starting from 2.1.4.1 before 2.2.0, all versions starting from 2.2.3.1",
          "package_slug": "gem/rack",
          "pubdate": "2022-12-05",
          "solution": "Upgrade to versions 2.0.9.1, 2.1.4.1, 2.2.3.1 or above.",
          "title": "Uncontrolled Resource Consumption",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2022-30122",
            "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729",
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml",
            "https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk",
            "https://github.com/advisories/GHSA-hxqx-xwvh-44m2"
          ],
          "uuid": "45e4da61-8808-4db2-9bf6-bcdc8c6c1bcd"
        },
        {
          "affected_range": "\u003c0",
          "affected_versions": "All versions starting from 1.2 up to 2.0.9.0, all versions starting from 2.1 up to 2.1.4.0, all versions starting from 2.2 up to 2.2.3.0",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937"
          ],
          "date": "2022-05-27",
          "description": "Carefully crafted multipart POST requests can cause Rack\u0027s multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack\u0027s multipart parser to parse multipart posts.",
          "fixed_versions": [
            "2.0.9.1",
            "2.1.4.1",
            "2.2.3.1"
          ],
          "identifier": "GMS-2022-1643",
          "identifiers": [
            "GHSA-hxqx-xwvh-44m2",
            "GMS-2022-1643",
            "CVE-2022-30122"
          ],
          "not_impacted": "All versions before 1.2, all versions after 2.0.9.0 before 2.1, all versions after 2.1.4.0 before 2.2, all versions after 2.2.3.0",
          "package_slug": "gem/rack",
          "pubdate": "2022-05-27",
          "solution": "Upgrade to versions 2.0.9.1, 2.1.4.1, 2.2.3.1 or above.",
          "title": "Duplicate of ./gem/rack/CVE-2022-30122.yml",
          "urls": [
            "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml",
            "https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk",
            "https://github.com/advisories/GHSA-hxqx-xwvh-44m2"
          ],
          "uuid": "20daa17a-47b5-4f79-80c2-cd8f2db9805c"
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "442EB5AF-A390-4A62-8B4E-8A2C082864D3",
                    "versionEndExcluding": "2.0.9.1",
                    "versionStartIncluding": "1.2",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "32E774AF-E7BB-45EB-B5E4-66F8F5D36285",
                    "versionEndExcluding": "2.1.4.1",
                    "versionStartIncluding": "2.1.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6145EE1D-85D5-4744-BA51-88EC52FF2891",
                    "versionEndExcluding": "2.2.3.1",
                    "versionStartIncluding": "2.2.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          },
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
                    "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "A possible denial of service vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 in the multipart parsing component of Rack."
          },
          {
            "lang": "es",
            "value": "Existe una posible vulnerabilidad de Denegaci\u00f3n de Servicio (DoS) en Rack \u0026lt;2.0.9.1, \u0026lt;2.1.4.1 y \u0026lt;2.2.3.1 en el componente de an\u00e1lisis multiparte de Rack."
          }
        ],
        "id": "CVE-2022-30122",
        "lastModified": "2023-12-20T03:02:05.353",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2022-12-05T22:15:10.227",
        "references": [
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.gentoo.org/glsa/202310-18"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20231208-0012/"
          },
          {
            "source": "support@hackerone.com",
            "tags": [
              "Third Party Advisory"
            ],
            "url": "https://www.debian.org/security/2023/dsa-5530"
          }
        ],
        "sourceIdentifier": "support@hackerone.com",
        "vulnStatus": "Analyzed",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-1333"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-400"
              }
            ],
            "source": "support@hackerone.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

CVE-2022-30122

Vulnerability from fstec - Published: 02.07.2022

Title

Уязвимость модульного интерфейса между веб-серверами и веб-приложениями Rack, связанная с неправильной проверкой ввода, позволяющая нарушителю выполнить атаку типа «отказ в обслуживании» (DoS)

Description

Уязвимость модульного интерфейса между веб-серверами и веб-приложениями Rack связана с недостаточной проверкой введенных пользователем данных при анализе составных запросов POST. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, выполнить атаку типа «отказ в обслуживании» (DoS) с помощью специально созданного запроса POST

Severity ?


                    
                      AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Vendor

Red Hat Inc., Сообщество свободного программного обеспечения, Novell Inc., ООО «Ред Софт», ООО «РусБИТех-Астра», ФССП России, Leah Neukirchen, АО "НППКТ", АО «ИВК»

Software Name

Red Hat Enterprise Linux, Red Hat Satellite, Debian GNU/Linux, Red Hat Storage, OpenSUSE Leap, РЕД ОС (запись в едином реестре российских программ №3751), Astra Linux Special Edition (запись в едином реестре российских программ №369), ОС ТД АИС ФССП России, Rack, ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Astra Linux Common Edition (запись в едином реестре российских программ №4433), АЛЬТ СП 10

Software Version

7 (Red Hat Enterprise Linux), 6.0 (Red Hat Satellite), 10 (Debian GNU/Linux), 3 (Red Hat Storage), 15.3 (OpenSUSE Leap), 11 (Debian GNU/Linux), 7.3 (РЕД ОС), 1.7 (Astra Linux Special Edition), ИК6 (ОС ТД АИС ФССП России), 15.4 (OpenSUSE Leap), до 2.0.9.1 (Rack), до 2.1.4.1 (Rack), до 2.2.3.1 (Rack), до 2.6 (ОСОН ОСнова Оnyx), 1.6 «Смоленск» (Astra Linux Common Edition), - (АЛЬТ СП 10)

Possible Mitigations

Использование рекомендаций: Для Rack: https://github.com/advisories/GHSA-hxqx-xwvh-44m2 Для Debian GNU/Linux: https://security-tracker.debian.org/tracker/CVE-2022-30122 Для РедОС: http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ Для программных продуктов Novell Inc.: https://www.suse.com/security/cve/CVE-2022-30122.html Для программных продуктов Red Hat Inc.: https://access.redhat.com/security/cve/CVE-2022-30122 Для ОС ТД АИС ФССП России: https://goslinux.fssp.gov.ru/2726972/ Для ОСОН ОСнова Оnyx: Обновление программного обеспечения ruby-rack до версии 2.0.6-3+deb10u1 Для ОС Альт 8 СП (релиз 10): установка обновления из публичного репозитория программного средства Для ОС Astra Linux Special Edition 1.7: обновить пакет ruby-rack до 2.0.6-3+deb10u1 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1110SE17 Для ОС Astra Linux: обновить пакет ruby-rack до 1.6.4-4+deb9u7 или более высокой версии, используя рекомендации производителя: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16

Reference

https://github.com/advisories/GHSA-hxqx-xwvh-44m2 https://security-tracker.debian.org/tracker/CVE-2022-30122 http://repo.red-soft.ru/redos/7.3c/x86_64/updates/ https://www.suse.com/security/cve/CVE-2022-30122.html https://access.redhat.com/security/cve/CVE-2022-30122 https://goslinux.fssp.gov.ru/2726972/ https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.6/ https://altsp.su/obnovleniya-bezopasnosti/ https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16

CWE

CWE-20

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
  "CVSS 3.0": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f, Novell Inc., \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb, \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb, \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Leah Neukirchen, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7 (Red Hat Enterprise Linux), 6.0 (Red Hat Satellite), 10 (Debian GNU/Linux), 3 (Red Hat Storage), 15.3 (OpenSUSE Leap), 11 (Debian GNU/Linux), 7.3 (\u0420\u0415\u0414 \u041e\u0421), 1.7 (Astra Linux Special Edition), \u0418\u041a6 (\u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438), 15.4 (OpenSUSE Leap), \u0434\u043e 2.0.9.1 (Rack), \u0434\u043e 2.1.4.1 (Rack), \u0434\u043e 2.2.3.1 (Rack), \u0434\u043e 2.6 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb (Astra Linux Common Edition), - (\u0410\u041b\u042c\u0422 \u0421\u041f 10)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f Rack:\nhttps://github.com/advisories/GHSA-hxqx-xwvh-44m2\n\n\u0414\u043b\u044f Debian GNU/Linux:\nhttps://security-tracker.debian.org/tracker/CVE-2022-30122\n\n\u0414\u043b\u044f \u0420\u0435\u0434\u041e\u0421:\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2022-30122.html\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/CVE-2022-30122\n\n\u0414\u043b\u044f \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438:\nhttps://goslinux.fssp.gov.ru/2726972/\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f ruby-rack \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 2.0.6-3+deb10u1\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0440\u0435\u043b\u0438\u0437 10): \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux Special Edition 1.7:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 ruby-rack \u0434\u043e 2.0.6-3+deb10u1 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se17-bulletin-2022-1110SE17\n\n\u0414\u043b\u044f \u041e\u0421 Astra Linux:\n\u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c \u043f\u0430\u043a\u0435\u0442 ruby-rack \u0434\u043e 1.6.4-4+deb9u7 \u0438\u043b\u0438 \u0431\u043e\u043b\u0435\u0435 \u0432\u044b\u0441\u043e\u043a\u043e\u0439 \u0432\u0435\u0440\u0441\u0438\u0438, \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u044f \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f: https://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "02.07.2022",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "20.01.2026",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "08.07.2022",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2022-04200",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2022-30122",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, Red Hat Satellite, Debian GNU/Linux, Red Hat Storage, OpenSUSE Leap, \u0420\u0415\u0414 \u041e\u0421 (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), Astra Linux Special Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438, Rack, \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Astra Linux Common Edition (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0410\u041b\u042c\u0422 \u0421\u041f 10",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux 7 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 10 , Novell Inc. OpenSUSE Leap 15.3 , \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Debian GNU/Linux 11 , \u041e\u041e\u041e \u00ab\u0420\u0435\u0434 \u0421\u043e\u0444\u0442\u00bb \u0420\u0415\u0414 \u041e\u0421 7.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21163751), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Special Edition 1.7  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116369), \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u041e\u0421 \u0422\u0414 \u0410\u0418\u0421 \u0424\u0421\u0421\u041f \u0420\u043e\u0441\u0441\u0438\u0438 \u0418\u041a6 , Novell Inc. OpenSUSE Leap 15.4 , \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.6  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), \u041e\u041e\u041e \u00ab\u0420\u0443\u0441\u0411\u0418\u0422\u0435\u0445-\u0410\u0441\u0442\u0440\u0430\u00bb Astra Linux Common Edition 1.6 \u00ab\u0421\u043c\u043e\u043b\u0435\u043d\u0441\u043a\u00bb  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164433), \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u041b\u042c\u0422 \u0421\u041f 10 - ",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043c\u0435\u0436\u0434\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438 \u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 Rack, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u043e\u0434\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0442\u0438\u043f\u0430 \u00ab\u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438\u00bb (DoS)",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u043e\u0434\u0443\u043b\u044c\u043d\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 \u043c\u0435\u0436\u0434\u0443 \u0432\u0435\u0431-\u0441\u0435\u0440\u0432\u0435\u0440\u0430\u043c\u0438 \u0438 \u0432\u0435\u0431-\u043f\u0440\u0438\u043b\u043e\u0436\u0435\u043d\u0438\u044f\u043c\u0438 Rack \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u043e\u0439 \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u043e\u0439 \u0432\u0432\u0435\u0434\u0435\u043d\u043d\u044b\u0445 \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u0435\u043c \u0434\u0430\u043d\u043d\u044b\u0445 \u043f\u0440\u0438 \u0430\u043d\u0430\u043b\u0438\u0437\u0435 \u0441\u043e\u0441\u0442\u0430\u0432\u043d\u044b\u0445 \u0437\u0430\u043f\u0440\u043e\u0441\u043e\u0432 POST. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u0430\u0442\u0430\u043a\u0443 \u0442\u0438\u043f\u0430 \u00ab\u043e\u0442\u043a\u0430\u0437 \u0432 \u043e\u0431\u0441\u043b\u0443\u0436\u0438\u0432\u0430\u043d\u0438\u0438\u00bb (DoS) \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u043e\u0437\u0434\u0430\u043d\u043d\u043e\u0433\u043e \u0437\u0430\u043f\u0440\u043e\u0441\u0430 POST",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://github.com/advisories/GHSA-hxqx-xwvh-44m2\nhttps://security-tracker.debian.org/tracker/CVE-2022-30122\nhttp://repo.red-soft.ru/redos/7.3c/x86_64/updates/\nhttps://www.suse.com/security/cve/CVE-2022-30122.html\nhttps://access.redhat.com/security/cve/CVE-2022-30122\nhttps://goslinux.fssp.gov.ru/2726972/\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.6/\nhttps://altsp.su/obnovleniya-bezopasnosti/\nhttps://wiki.astralinux.ru/astra-linux-se16-bulletin-20251225SE16",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,8)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 6,5)"
}

FKIE_CVE-2022-30122

Vulnerability from fkie_nvd - Published: 2022-12-05 22:15 - Updated: 2024-11-21 07:02

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.

References

URL	Tags
support@hackerone.com	https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729	Third Party Advisory
support@hackerone.com	https://security.gentoo.org/glsa/202310-18	Third Party Advisory
support@hackerone.com	https://security.netapp.com/advisory/ntap-20231208-0012/	Third Party Advisory
support@hackerone.com	https://www.debian.org/security/2023/dsa-5530	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202310-18	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20231208-0012/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.debian.org/security/2023/dsa-5530	Third Party Advisory

Impacted products

Vendor	Product	Version
rack_project	rack	*
rack_project	rack	*
rack_project	rack	*
debian	debian_linux	11.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "442EB5AF-A390-4A62-8B4E-8A2C082864D3",
              "versionEndExcluding": "2.0.9.1",
              "versionStartIncluding": "1.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "32E774AF-E7BB-45EB-B5E4-66F8F5D36285",
              "versionEndExcluding": "2.1.4.1",
              "versionStartIncluding": "2.1.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6145EE1D-85D5-4744-BA51-88EC52FF2891",
              "versionEndExcluding": "2.2.3.1",
              "versionStartIncluding": "2.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A possible denial of service vulnerability exists in Rack \u003c2.0.9.1, \u003c2.1.4.1 and \u003c2.2.3.1 in the multipart parsing component of Rack."
    },
    {
      "lang": "es",
      "value": "Existe una posible vulnerabilidad de Denegaci\u00f3n de Servicio (DoS) en Rack \u0026lt;2.0.9.1, \u0026lt;2.1.4.1 y \u0026lt;2.2.3.1 en el componente de an\u00e1lisis multiparte de Rack."
    }
  ],
  "id": "CVE-2022-30122",
  "lastModified": "2024-11-21T07:02:12.160",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2022-12-05T22:15:10.227",
  "references": [
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202310-18"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20231208-0012/"
    },
    {
      "source": "support@hackerone.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5530"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202310-18"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20231208-0012/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://www.debian.org/security/2023/dsa-5530"
    }
  ],
  "sourceIdentifier": "support@hackerone.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "support@hackerone.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2022-30122 (GCVE-0-2022-30122)

CERTFR-2022-AVI-506

Solution

GHSA-HXQX-XWVH-44M2

Impact

Workarounds

GSD-2022-30122

CVE-2022-30122

FKIE_CVE-2022-30122

Tags

Sightings

Nomenclature