​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-pqqq-69p9-48g7

Published

Last updated

https://images.chainguard.dev/security/CGA-pqqq-69p9-48g7
Package

kube-fluentd-operator

Latest Update
Fixed
Fixed Version

1.18.2-r3

Aliases
  • CVE-2024-25126
  • GHSA-22f2-v57c-j9cx

Severity

5.3

Medium

CVSS V3

Summary

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Description

Summary

module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request["Content-Type"] = (" " * 50_000) + "a,"

Impact

It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

References

Updates


Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images