Vulnerability CVE-2011-5036

Vulnerability Name:

CVE-2011-5036 (CCN-72014)

Assigned:

2011-12-28

Published:

2011-12-28

Updated:

2013-10-31

Summary:

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-310

Vulnerability Consequences:

Denial of Service

References:

Vulnerable Configuration:

Configuration 1:

cpe:/a:rack_project:rack:*:*:*:*:*:*:*:* (Version <= 1.1.0)

OR cpe:/a:rack_project:rack:1.2.0:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.2.1:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.2.2:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.2.3:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.2.4:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.3.0:-:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.3.1:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.3.2:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.3.3:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.3.4:*:*:*:*:*:*:*

OR cpe:/a:rack_project:rack:1.3.5:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:29014	P	DSA-2783-2 -- librack-ruby -- several vulnerabilities	2015-08-17
oval:org.mitre.oval:def:19513	P	DSA-2783-1 librack-ruby - several	2014-06-23
oval:com.ubuntu.xenial:def:201150360000000	V	CVE-2011-5036 on Ubuntu 16.04 LTS (xenial) - medium.	2011-12-30
oval:com.ubuntu.precise:def:20115036000	V	CVE-2011-5036 on Ubuntu 12.04 LTS (precise) - medium.	2011-12-29
oval:com.ubuntu.trusty:def:20115036000	V	CVE-2011-5036 on Ubuntu 14.04 LTS (trusty) - medium.	2011-12-29
oval:com.ubuntu.xenial:def:20115036000	V	CVE-2011-5036 on Ubuntu 16.04 LTS (xenial) - medium.	2011-12-29

BACK