CVE-2022-30123

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

Published: Dec 5, 2022
Updated: Oct 23, 2023
CVE: CVE-2022-30123
GHSA: GHSA-wq4h-7r42-5hrr
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 10
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
rack_project / rack	2.2.0	2.2.3.1
rack_project / rack	2.1.0	2.1.4.1
rack_project / rack	-	2.0.9.1
rack	-	2.0.9.1
rack	2.1	2.1.4.1
rack	2.2	2.2.3.1
debian / debian_linux	11.0	11.0.x

https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728
https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml
https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8
https://security.gentoo.org/glsa/202310-18
https://security.netapp.com/advisory/ntap-20231208-0011/
https://www.debian.org/security/2023/dsa-5530

Vulnerability Database

289,697

CVE-2022-30123