{"id":"USN-5253-1","summary":"ruby-rack vulnerabilities","details":"It was discovered that Rack insecurely handled session ids. An\nunauthenticated remote attacker could possibly use this issue to perform\na timing attack and hijack sessions. (CVE-2019-16782)\n\nIt was discovered that Rack was incorrectly handling cookies during\nparsing, not validating them or performing the necessary integrity checks.\nAn attacker could possibly use this issue to overwrite existing cookie\ndata and gain control over a remote system's behaviour. This issue only\naffected Ubuntu 14.04 ESM. (CVE-2020-8184)\n\nIt was discovered that Rack was not properly parsing data when processing\nmultipart POST requests. If a user or automated system were tricked into\nsending a specially crafted multipart POST request to an application using\nRack, a remote attacker could possibly use this issue to cause a denial of\nservice. This issue was only fixed in Ubuntu 14.04 ESM and Ubuntu 16.04\nESM. (CVE-2022-30122)\n\nIt was discovered that Rack was not properly escaping untrusted data when\nperforming logging operations, which could cause shell escaped sequences\nto be written to a terminal. If a user or automated system were tricked\ninto sending a specially crafted request to an application using Rack, a\nremote attacker could possibly use this issue to execute arbitrary code in\nthe machine running the application. This issue was only fixed in Ubuntu\n14.04 ESM and Ubuntu 16.04 ESM. (CVE-2022-30123)\n","modified":"2026-02-10T04:42:26Z","published":"2022-12-13T11:33:52Z","related":["UBUNTU-CVE-2019-16782","UBUNTU-CVE-2020-8184","UBUNTU-CVE-2022-30122","UBUNTU-CVE-2022-30123"],"upstream":["CVE-2019-16782","CVE-2020-8184","CVE-2022-30122","CVE-2022-30123","UBUNTU-CVE-2019-16782","UBUNTU-CVE-2020-8184","UBUNTU-CVE-2022-30122","UBUNTU-CVE-2022-30123"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-5253-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-16782"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2020-8184"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-30122"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2022-30123"}],"affected":[{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:14.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@1.5.2-3+deb8u3ubuntu1~esm4?arch=source&distro=trusty/esm"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.5.2-3+deb8u3ubuntu1~esm4"}]}],"versions":["1.5.2-1","1.5.2-1ubuntu0.1~esm1","1.5.2-3+deb8u3ubuntu1~esm2","1.5.2-3+deb8u3ubuntu1~esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"1.5.2-3+deb8u3ubuntu1~esm4","binary_name":"librack-ruby"},{"binary_version":"1.5.2-3+deb8u3ubuntu1~esm4","binary_name":"librack-ruby1.8"},{"binary_version":"1.5.2-3+deb8u3ubuntu1~esm4","binary_name":"librack-ruby1.9.1"},{"binary_version":"1.5.2-3+deb8u3ubuntu1~esm4","binary_name":"ruby-rack"}],"availability":"Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5253-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2020-8184"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-30122"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-30123"}],"ecosystem":"Ubuntu:Pro:14.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@1.6.4-3ubuntu0.2+esm2?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.4-3ubuntu0.2+esm2"}]}],"versions":["1.5.2-4","1.6.4-2","1.6.4-3","1.6.4-3ubuntu0.1","1.6.4-3ubuntu0.2","1.6.4-3ubuntu0.2+esm1"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.4-3ubuntu0.2+esm2","binary_name":"ruby-rack"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5253-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-30122"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2022-30123"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@1.6.4-4ubuntu0.2+esm1?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.4-4ubuntu0.2+esm1"}]}],"versions":["1.6.4-4","1.6.4-4ubuntu0.1","1.6.4-4ubuntu0.2"],"ecosystem_specific":{"binaries":[{"binary_version":"1.6.4-4ubuntu0.2+esm1","binary_name":"ruby-rack"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5253-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-16782"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1+esm1?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.7-2ubuntu0.1+esm1"}]}],"versions":["2.0.6-3","2.0.7-2","2.0.7-2ubuntu0.1"],"ecosystem_specific":{"binaries":[{"binary_version":"2.0.7-2ubuntu0.1+esm1","binary_name":"ruby-rack"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-5253-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-16782"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}}],"schema_version":"1.7.3"}