CVE-2012-6109

medium

Published 2012-05-04 · Modified 2024-11-29

CVSS v3

—

CVSS v2

4.3

VIR risk

4.3

Description

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2012-6109

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`1.4.1-2.1`
debian	bullseye	fixed	`1.4.1-2.1`
debian	forky	fixed	`1.4.1-2.1`
debian	sid	fixed	`1.4.1-2.1`
debian	trixie	fixed	`1.4.1-2.1`

Package impact

Ecosystem	Package	Vulnerable	Fixed
RubyGems	rack	`<~> 1.1.4`	`~> 1.1.4`
RubyGems	rack	`<1.1.4`	`1.1.4`
RubyGems	rack	`>=1.2.0,<1.2.6`	`1.2.6`
RubyGems	rack	`>=1.3.0,<1.3.7`	`1.3.7`
RubyGems	rack	`>=1.4.0,<1.4.2`	`1.4.2`

Application impact

Vendor	Product	Versions
rack_project	rack	`{"endIncluding":"1.1.3"}`
rack_project	rack	`0.1`
rack_project	rack	`0.2`
rack_project	rack	`0.3`
rack_project	rack	`0.4`
rack_project	rack	`0.9`
rack_project	rack	`0.9.1`
rack_project	rack	`1.0.0`
rack_project	rack	`1.0.1`
rack_project	rack	`1.1.0`
rack_project	rack	`1.1.2`
rack_project	rack	`1.2.0`
rack_project	rack	`1.2.1`
rack_project	rack	`1.2.2`
rack_project	rack	`1.2.3`
rack_project	rack	`1.2.4`
rack_project	rack	`1.3.0`
rack_project	rack	`1.3.1`
rack_project	rack	`1.3.2`
rack_project	rack	`1.3.3`
rack_project	rack	`1.3.4`
rack_project	rack	`1.3.5`
rack_project	rack	`1.3.6`
rack_project	rack	`1.4.0`
rack_project	rack	`1.4.1`

References

Verify integrity in audit chain (admin only). AS-IS.