*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-21510
### Vulnerable Library - sinatra-3.1.0.gem
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Versions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
For more information on CVSS3 Scores, click here.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-26146
### Vulnerable Library - rack-2.2.8.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-25126
### Vulnerable Library - rack-2.2.8.gem
Rack provides a minimal, modular and adaptable interface for developing
web applications in Ruby. By wrapping HTTP requests and responses in
the simplest way possible, it unifies and distills the API for web
servers, web frameworks, and software in between (the so-called
middleware) into a single method call.
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
Sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.1.0.gem
Path to dependency file: /ruby-sinatra-server/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-3.1.0.gem
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-26141
### Vulnerable Library - rack-2.2.8.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.8.gem
Path to dependency file: /ruby-sinatra-server/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.8.gem
Dependency Hierarchy: - sinatra-3.1.0.gem (Root Library) - :x: **rack-2.2.8.gem** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsRack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.
Publish Date: 2024-02-28
URL: CVE-2024-26141
### CVSS 3 Score Details (5.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-26141
Release Date: 2024-02-28
Fix Resolution: rack - 2.2.8.1,3.0.9.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-21510
### Vulnerable Library - sinatra-3.1.0.gemSinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Library home page: https://rubygems.org/gems/sinatra-3.1.0.gem
Path to dependency file: /ruby-sinatra-server/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/sinatra-3.1.0.gem
Dependency Hierarchy: - :x: **sinatra-3.1.0.gem** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsVersions of the package sinatra from 0.0.0 are vulnerable to Reliance on Untrusted Inputs in a Security Decision via the X-Forwarded-Host (XFH) header. When making a request to a method with redirect applied, it is possible to trigger an Open Redirect Attack by inserting an arbitrary address into this header. If used for caching purposes, such as with servers like Nginx, or as a reverse proxy, without handling the X-Forwarded-Host header, attackers can potentially exploit Cache Poisoning or Routing-based SSRF.
Publish Date: 2024-11-01
URL: CVE-2024-21510
### CVSS 3 Score Details (5.4)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-26146
### Vulnerable Library - rack-2.2.8.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.8.gem
Path to dependency file: /ruby-sinatra-server/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.8.gem
Dependency Hierarchy: - sinatra-3.1.0.gem (Root Library) - :x: **rack-2.2.8.gem** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsRack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
Publish Date: 2024-02-28
URL: CVE-2024-26146
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-26146
Release Date: 2024-02-28
Fix Resolution: rack - 2.0.9.4,2.1.4.4,2.2.8.1,3.0.9.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-25126
### Vulnerable Library - rack-2.2.8.gemRack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.
Library home page: https://rubygems.org/gems/rack-2.2.8.gem
Path to dependency file: /ruby-sinatra-server/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/rack-2.2.8.gem
Dependency Hierarchy: - sinatra-3.1.0.gem (Root Library) - :x: **rack-2.2.8.gem** (Vulnerable Library)
Found in base branch: master
### Vulnerability DetailsRack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
Publish Date: 2024-02-28
URL: CVE-2024-25126
### CVSS 3 Score Details (5.3)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
Release Date: 2024-02-28
Fix Resolution: rack - 2.2.8.1,3.0.9.1
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)