gsd-2011-5036
Vulnerability from gsd
Modified
2011-12-28 00:00
Details
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2011-5036",
"description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"id": "GSD-2011-5036",
"references": [
"https://www.suse.com/security/cve/CVE-2011-5036.html",
"https://www.debian.org/security/2013/dsa-2783"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack",
"purl": "pkg:gem/rack"
}
}
],
"aliases": [
"CVE-2011-5036",
"OSVDB-78121"
],
"details": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"id": "GSD-2011-5036",
"modified": "2011-12-28T00:00:00.000Z",
"published": "2011-12-28T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5036"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5036",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://www.nruns.com/_downloads/advisory28122011.pdf",
"refsource": "MISC",
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "https://gist.github.com/52bbc6b9cc19ce330829",
"refsource": "CONFIRM",
"url": "https://gist.github.com/52bbc6b9cc19ce330829"
},
{
"name": "VU#903934",
"refsource": "CERT-VN",
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"refsource": "BUGTRAQ",
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "DSA-2783",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2013/dsa-2783"
},
{
"name": "http://www.ocert.org/advisories/ocert-2011-003.html",
"refsource": "MISC",
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2011-5036",
"cvss_v2": 5.0,
"date": "2011-12-28",
"description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"gem": "rack",
"osvdb": 78121,
"patched_versions": [
"~\u003e 1.1.3",
"~\u003e 1.2.5",
"~\u003e 1.3.6",
"\u003e= 1.4.0"
],
"title": "CVE-2011-5036 rubygem-rack: hash table collisions DoS (oCERT-2011-003)",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5036"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c1.1.3||\u003e=1.2.0 \u003c1.2.5||\u003e=1.3.0.beta \u003c1.3.6",
"affected_versions": "All versions before 1.1.3, all versions starting from 1.2.0 before 1.2.5, all versions starting from 1.3.0.beta before 1.3.6",
"credit": "James Tucker",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-310",
"CWE-937"
],
"date": "2013-10-30",
"description": "This package contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker sends multiple crafted parameters which trigger hash collisions, and will result in loss of availability for the program via CPU consumption.",
"fixed_versions": [
"1.1.3",
"1.2.5",
"1.3.6",
"1.4.0"
],
"identifier": "CVE-2011-5036",
"identifiers": [
"CVE-2011-5036"
],
"not_impacted": "All versions starting from 1.1.3 before 1.2.0, all versions starting from 1.2.5 before 1.3.0.beta, all versions starting from 1.3.6",
"package_slug": "gem/rack",
"pubdate": "2011-12-29",
"solution": "Upgrade to versions 1.1.3, 1.2.5, 1.3.6, 1.4.0 or above.",
"title": "Hash Collision Form Parameter Parsing Remote DoS",
"urls": [
"http://osvdb.org/show/osvdb/78121",
"https://github.com/rack/rack/commit/09c5e53f11a491c25bef873ed146842f3cd03228"
],
"uuid": "91c10b9d-8a39-4a86-b6a1-7285cddf1d53"
},
{
"affected_range": "(,1.6.5.1)",
"affected_versions": "All versions before 1.6.5.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-310",
"CWE-937"
],
"date": "2023-03-27",
"description": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.",
"fixed_versions": [
"1.6.5.1"
],
"identifier": "CVE-2011-5036",
"identifiers": [
"GHSA-v6j3-7jrw-hq2p",
"CVE-2011-5036"
],
"not_impacted": "All versions starting from 1.6.5.1",
"package_slug": "maven/org.jruby/jruby-parent",
"pubdate": "2022-05-17",
"solution": "Upgrade to version 1.6.5.1 or above.",
"title": "Rack subject to Denial of Service via hash collisions",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2011-5036",
"https://gist.github.com/52bbc6b9cc19ce330829",
"http://www.debian.org/security/2013/dsa-2783",
"http://www.kb.cert.org/vuls/id/903934",
"http://www.ocert.org/advisories/ocert-2011-003.html",
"https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1",
"https://github.com/advisories/GHSA-v6j3-7jrw-hq2p"
],
"uuid": "87cc4514-94d9-45d1-bb2d-1e027bc594cd"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "1.1.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-5036"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-310"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "VU#903934",
"refsource": "CERT-VN",
"tags": [
"US Government Resource"
],
"url": "http://www.kb.cert.org/vuls/id/903934"
},
{
"name": "https://gist.github.com/52bbc6b9cc19ce330829",
"refsource": "CONFIRM",
"tags": [
"Exploit"
],
"url": "https://gist.github.com/52bbc6b9cc19ce330829"
},
{
"name": "http://www.ocert.org/advisories/ocert-2011-003.html",
"refsource": "MISC",
"tags": [],
"url": "http://www.ocert.org/advisories/ocert-2011-003.html"
},
{
"name": "http://www.nruns.com/_downloads/advisory28122011.pdf",
"refsource": "MISC",
"tags": [],
"url": "http://www.nruns.com/_downloads/advisory28122011.pdf"
},
{
"name": "20111228 n.runs-SA-2011.004 - web programming languages and platforms - DoS through hash table",
"refsource": "BUGTRAQ",
"tags": [],
"url": "http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html"
},
{
"name": "DSA-2783",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2013/dsa-2783"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2013-10-31T03:21Z",
"publishedDate": "2011-12-30T01:55Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…