Vulnerability Name:

CVE-2015-3225 (CCN-103917)

Assigned:2015-06-16
Published:2015-06-16
Updated:2018-10-30
Summary:lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
4.3 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
3.2 Low (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-19
CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2015-3225

Source: FEDORA
Type: UNKNOWN
FEDORA-2015-12978

Source: FEDORA
Type: UNKNOWN
FEDORA-2015-12979

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2015:1259

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2015:1262

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2015:1263

Source: MLIST
Type: Mailing List, Third Party Advisory
[oss-security] 20150616 [CVE-2015-3225] Potential Denial of Service Vulnerability in Rack

Source: CCN
Type: Rack Web site
Rack

Source: REDHAT
Type: UNKNOWN
RHSA-2015:2290

Source: CCN
Type: oss-security Mailing List, Tue, 16 Jun 2015 11:03:35 -0700
[CVE-2015-3225] Potential Denial of Service Vulnerability in Rack

Source: DEBIAN
Type: UNKNOWN
DSA-3322

Source: BID
Type: UNKNOWN
75232

Source: CCN
Type: BID-75232
Rack 'normalize_params()' Function Denial of Service Vulnerability

Source: XF
Type: UNKNOWN
rack-cve20153225-dos(103917)

Source: CONFIRM
Type: Issue Tracking, Patch, Vendor Advisory
https://github.com/rack/rack/blob/master/HISTORY.md

Source: MLIST
Type: Mailing List, Third Party Advisory
[rubyonrails-security] 20150616 [CVE-2015-3225] Potential Denial of Service Vulnerability in Rack

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2015-3225

Vulnerable Configuration:Configuration 1:
  • cpe:/a:rack_project:rack:*:*:*:*:*:*:*:* (Version <= 1.5.3)
  • OR cpe:/a:rack_project:rack:1.6.0:-:*:*:*:*:*:*
  • OR cpe:/a:rack_project:rack:1.6.1:*:*:*:*:*:*:*

  • Configuration 2:
  • cpe:/o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
  • OR cpe:/o:opensuse:opensuse:13.2:*:*:*:*:*:*:*

  • Configuration 3:
  • cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:rack_project:rack:1.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:rack_project:rack:1.2.6:*:*:*:*:*:*:*
  • OR cpe:/a:rack_project:rack:1.3.6:*:*:*:*:*:*:*
  • OR cpe:/a:crawltrack:crawltrack:1.4.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:20153225
    V
    CVE-2015-3225
    2022-06-30
    oval:org.opensuse.security:def:25
    P
    chrony-3.2-9.18.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:11
    P
    automake-1.15.1-2.145 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:113400
    P
    ruby2.7-rubygem-rack-2.0-2.0.9-1.10 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113401
    P
    ruby2.7-rubygem-rack-2.2.3-1.7 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113362
    P
    ruby2.2-rubygem-rack-1_6-1.6.5-1.1 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113399
    P
    ruby2.7-rubygem-rack-1_6-1.6.13-1.13 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106804
    P
    Security update for busybox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:106805
    P
    Security update for MozillaFirefox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:55264
    P
    Security update for binutils (Moderate)
    2021-11-02
    oval:org.opensuse.security:def:106806
    P
    ruby2.7-rubygem-rack-2.2.3-1.7 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:106769
    P
    ruby2.2-rubygem-rack-1_6-1.6.5-1.1 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:55947
    P
    Security update for Mesa (Moderate)
    2021-09-16
    oval:org.opensuse.security:def:13857
    P
    kbd-1.15.5-8.7.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14739
    P
    ppc64-diag-2.7.4-1.18 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14066
    P
    xorg-x11-7.6_1-14.17 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13810
    P
    dstat-0.7.2-1.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13893
    P
    libdcerpc-binding0-32bit-4.4.2-29.4 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14011
    P
    ppc64-diag-2.7.1-5.6 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14055
    P
    w3m-0.5.3-157.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13874
    P
    libXi6-1.7.4-9.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13986
    P
    mozilla-nspr-32bit-4.12-15.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14717
    P
    opie-2.4-724.56 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14079
    P
    ant-1.9.4-1.31 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:38200
    P
    Security update for libcares2 (Important)
    2021-08-10
    oval:org.opensuse.security:def:70788
    P
    Security update for the Linux Kernel (Important)
    2021-07-14
    oval:org.opensuse.security:def:38360
    P
    Security update for xorg-x11-libX11 (Important)
    2021-06-15
    oval:org.opensuse.security:def:70901
    P
    file-5.32-5.22 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:13712
    P
    qemu-2.3.1-5.7 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:13742
    P
    vino-3.10.1-1.86 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:13720
    P
    ruby-2.1-1.6 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:38110
    P
    Security update for cups (Important)
    2021-04-30
    oval:org.opensuse.security:def:67548
    P
    Security update for the Linux Kernel (Important)
    2021-02-09
    oval:org.opensuse.security:def:55781
    P
    Security update for python (Important)
    2020-12-11
    oval:org.opensuse.security:def:55124
    P
    Security update for postgresql12 (Important)
    2020-12-04
    oval:org.opensuse.security:def:96510
    P
    ruby2.5-rubygem-rack-2.0.3-1.29 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:103200
    P
    ruby2.5-rubygem-rack-2.0.3-1.29 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:89545
    P
    ruby2.5-rubygem-rack-2.0.3-1.29 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:26439
    P
    Security update for MozillaThunderbird (Important)
    2020-12-01
    oval:org.opensuse.security:def:27670
    P
    Security update for rubygem-rack-cache
    2020-12-01
    oval:org.opensuse.security:def:26438
    P
    Security update for ansible (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27156
    P
    kdebase3-runtime on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27142
    P
    gtk2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56340
    P
    Security update for libvorbis (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26514
    P
    LibVNCServer on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27851
    P
    Security update for pam
    2020-12-01
    oval:org.opensuse.security:def:26449
    P
    Security update for nginx (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27364
    P
    PolicyKit-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27213
    P
    librsvg on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26780
    P
    lvm2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56506
    P
    Security update for evince (Important)
    2020-12-01
    oval:org.opensuse.security:def:26722
    P
    kbd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38468
    P
    radvd on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27568
    P
    struts on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39217
    P
    libvpx1-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37731
    P
    apache2-mod_jk on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27015
    P
    perl-spamassassin on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38579
    P
    dnsmasq on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26939
    P
    libadns1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26938
    P
    libQtWebKit4-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38053
    P
    rpm-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27656
    P
    Security update for python-httplib2
    2020-12-01
    oval:org.opensuse.security:def:27116
    P
    emacs on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27886
    P
    Security update for rubygem-rack (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27014
    P
    perl-libwww-perl on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56232
    P
    Security update for ImageMagick (Important)
    2020-12-01
    oval:org.opensuse.security:def:27852
    P
    Security update for perl
    2020-12-01
    oval:org.opensuse.security:def:26450
    P
    Security update for MozillaThunderbird (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27214
    P
    libsamplerate on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37719
    P
    DirectFB on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27280
    P
    python-pywbem on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27169
    P
    libFLAC++6 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26723
    P
    kde4-kgreeter-plugins on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56432
    P
    Security update for libxml2 (Low)
    2020-12-01
    oval:org.opensuse.security:def:39259
    P
    Security update for rubygem-rack-1_4 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26641
    P
    syslog-ng on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64114
    P
    Security update for mozilla-nspr, mozilla-nss (Important)
    2020-12-01
    oval:org.opensuse.security:def:27515
    P
    mercurial on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56625
    P
    Security update for libssh (Important)
    2020-12-01
    oval:org.opensuse.security:def:37720
    P
    MozillaFirefox on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26863
    P
    apache2-mod_jk on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38535
    P
    DirectFB on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55675
    P
    Security update for glibc (Important)
    2020-12-01
    oval:org.opensuse.security:def:37952
    P
    libquicktime0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27117
    P
    enscript on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27887
    P
    Security update for rubygem-rack-1_4 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27067
    P
    LibVNCServer on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:28352
    P
    Security update for php53 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26950
    P
    libgdiplus0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27714
    P
    Security update for bind (Important)
    2020-12-01
    oval:org.opensuse.security:def:55101
    P
    eog on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27170
    P
    libMagickCore1-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26437
    P
    Security update for enigmail (Important)
    2020-12-01
    oval:org.opensuse.security:def:27223
    P
    libtspi1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27155
    P
    kde4-kgreeter-plugins on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64201
    P
    ruby2.5-rubygem-rack on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26642
    P
    sysstat on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38419
    P
    mozilla-nspr-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:67448
    P
    Security update for freetds (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26513
    P
    Security update for chromium (Important)
    2020-12-01
    oval:org.opensuse.security:def:55102
    P
    evince on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26864
    P
    apache2-mod_perl on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:56544
    P
    Security update for rsyslog (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26779
    P
    logwatch on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38507
    P
    unrar on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:55502
    P
    Security update for gdm (Low)
    2020-12-01
    oval:org.opensuse.security:def:27617
    P
    Security update for freetype2
    2020-12-01
    oval:org.opensuse.security:def:28387
    P
    Security update for rubygem-rack-1_4 (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37815
    P
    gv on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27068
    P
    Mesa-32bit on GA media (Moderate)
    2020-12-01
    oval:org.cisecurity:def:209
    P
    DSA-3322-1 -- ruby-rack -- security update
    2016-02-08
    oval:com.redhat.rhsa:def:20152290
    P
    RHSA-2015:2290: pcs security, bug fix, and enhancement update (Moderate)
    2015-11-19
    oval:com.ubuntu.xenial:def:201532250000000
    V
    CVE-2015-3225 on Ubuntu 16.04 LTS (xenial) - low.
    2015-07-26
    oval:com.ubuntu.precise:def:20153225000
    V
    CVE-2015-3225 on Ubuntu 12.04 LTS (precise) - low.
    2015-07-26
    oval:com.ubuntu.artful:def:20153225000
    V
    CVE-2015-3225 on Ubuntu 17.10 (artful) - low.
    2015-07-26
    oval:com.ubuntu.disco:def:201532250000000
    V
    CVE-2015-3225 on Ubuntu 19.04 (disco) - low.
    2015-07-26
    oval:com.ubuntu.trusty:def:20153225000
    V
    CVE-2015-3225 on Ubuntu 14.04 LTS (trusty) - low.
    2015-07-26
    oval:com.ubuntu.cosmic:def:201532250000000
    V
    CVE-2015-3225 on Ubuntu 18.10 (cosmic) - low.
    2015-07-26
    oval:com.ubuntu.bionic:def:20153225000
    V
    CVE-2015-3225 on Ubuntu 18.04 LTS (bionic) - low.
    2015-07-26
    oval:com.ubuntu.xenial:def:20153225000
    V
    CVE-2015-3225 on Ubuntu 16.04 LTS (xenial) - low.
    2015-07-26
    oval:com.ubuntu.bionic:def:201532250000000
    V
    CVE-2015-3225 on Ubuntu 18.04 LTS (bionic) - low.
    2015-07-26
    oval:com.ubuntu.cosmic:def:20153225000
    V
    CVE-2015-3225 on Ubuntu 18.10 (cosmic) - low.
    2015-07-26
    BACK
    rack_project rack *
    rack_project rack 1.6.0
    rack_project rack 1.6.1
    opensuse opensuse 13.1
    opensuse opensuse 13.2
    debian debian linux 7.0
    debian debian linux 8.0
    rack_project rack 1.1.4
    rack_project rack 1.2.6
    rack_project rack 1.3.6
    crawltrack crawltrack 1.4.1