CVE-2022-30123

moderate-risk

Published 2022-12-05

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack.

Do I need to act?

2.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: f9cc7c2ae161820e36635734cff6e932d99e6aa8, 374f89aaa9ee5dc1de0802bfecce988cabfa3ead, 925a4a6599ab26b4f3455b525393fe155d443655

CVSS 10.0/10 Critical

NETWORK / LOW complexity

Affected Products (2)

Rack

Debian Linux

Affected Vendors

Debian Rack Project

References (8)

Third Party Advisory https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-...

Third Party Advisory https://security.gentoo.org/glsa/202310-18

https://security.netapp.com/advisory/ntap-20231208-0011/

Third Party Advisory https://www.debian.org/security/2023/dsa-5530

Third Party Advisory https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-...

Third Party Advisory https://security.gentoo.org/glsa/202310-18

https://security.netapp.com/advisory/ntap-20231208-0011/

Third Party Advisory https://www.debian.org/security/2023/dsa-5530

/ 100

moderate-risk

Severity 33/34 · Critical

Exploitability 5/34 · Minimal

Exposure 7/34 · Low