1209095 – (CVE-2023-27530) VUL-0: CVE-2023-27530: rubygem-rack: Denial of service in Multipart MIME parsing

Bug 1209095 (CVE-2023-27530) - VUL-0: CVE-2023-27530: rubygem-rack: Denial of service in Multipart MIME parsing

Summary: VUL-0: CVE-2023-27530: rubygem-rack: Denial of service in Multipart MIME parsing

Status:	RESOLVED FIXED

Alias:	CVE-2023-27530

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/359524/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-27530:7.5:(AV:...
Keywords:

Depends on:	1209096
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2023-03-09 09:50 UTC by Cathy Hu
Modified:	2023-05-31 10:14 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Cathy Hu 2023-03-09 09:50:46 UTC

CVE-2023-27530

There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.

References:

https://github.com/rubysec/ruby-advisory-db/tree/master/gems/rack/CVE-2023-27530.yml

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-27530
https://bugzilla.redhat.com/show_bug.cgi?id=2176477

Comment 1 Cathy Hu 2023-03-09 09:51:16 UTC

Affected:
- SUSE:SLE-12:Update/rubygem-rack    
- SUSE:SLE-15:Update/rubygem-rack    
- openSUSE:Factory/rubygem-rack

Comment 2 Petr Gajdos 2023-03-09 12:31:36 UTC

https://build.opensuse.org/request/show/1070409

Comment 3 Petr Gajdos 2023-03-09 13:21:03 UTC

Submitted for 15/rubygem-rack.

I do not think 12/rubygem-rack is affected by this CVE (no handle_mime_head or mime_parts code).

Comment 4 Petr Gajdos 2023-03-09 13:22:55 UTC

https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388

Comment 6 Cathy Hu 2023-03-09 14:58:31 UTC

okay thanks, adjusting the tracking

Comment 7 Maintenance Automation 2023-03-14 16:30:04 UTC

SUSE-SU-2023:0725-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1209095
CVE References: CVE-2023-27530
Sources used:
openSUSE Leap 15.4 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP1 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP2 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): rubygem-rack-2.0.8-150000.3.15.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): rubygem-rack-2.0.8-150000.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Petr Gajdos 2023-03-23 08:25:14 UTC

I believe all fixed.