CVE-2011-5036 : Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash valu

Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

Published 2011-12-30 01:55:02

Updated 2013-10-31 03:21:36

Source MITRE

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2011-5036

Rack Project » Rack
Versions up to, including, (<=) 1.1.0
cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.3.0
cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.3.1
cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.2.0
cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.2.1
cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.3.4
cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.3.5
cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.2.2
cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.2.3
cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.2.4
cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.3.2
cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*
Matching versions
Rack Project » Rack » Version: 1.3.3
cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-5036

EPSS FAQ

1.28%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 78 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-5036

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2011-5036

CWE-310

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-5036

http://www.nruns.com/_downloads/advisory28122011.pdf

Best 7 Best Internet Security Software in 2019

CVEs referencing this url
https://gist.github.com/52bbc6b9cc19ce330829

gist:52bbc6b9cc19ce330829 · GitHub
Exploit
http://www.kb.cert.org/vuls/id/903934

VU#903934 - Hash table implementations vulnerable to algorithmic complexity attacks
US Government Resource

CVEs referencing this url
http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html

CVEs referencing this url
http://www.ocert.org/advisories/ocert-2011-003.html

oCERT archive

CVEs referencing this url
http://www.debian.org/security/2013/dsa-2783

Debian -- Security Information -- DSA-2783-1 librack-ruby

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2011-5036

Products affected by CVE-2011-5036

Exploit prediction scoring system (EPSS) score for CVE-2011-5036

CVSS scores for CVE-2011-5036

CWE ids for CVE-2011-5036

References for CVE-2011-5036