{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-49007","title":"Title"},{"category":"description","text":"Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-49007","url":"https://www.suse.com/security/cve/CVE-2025-49007"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1244113 for CVE-2025-49007","url":"https://bugzilla.suse.com/1244113"}],"title":"SUSE CVE CVE-2025-49007","tracking":{"current_release_date":"2025-07-07T23:22:40Z","generator":{"date":"2025-06-06T02:14:11Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-49007","initial_release_date":"2025-06-06T02:14:11Z","revision_history":[{"date":"2025-06-06T02:14:11Z","number":"2","summary":"Current version"},{"date":"2025-07-07T23:22:40Z","number":"3","summary":"Current version"}],"status":"interim","version":"3"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP3","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP3","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP3","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp3"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP4","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP5","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP6","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP6","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP6","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp6"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP7","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP7","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp7"}}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"ruby2.5-rubygem-rack","product":{"name":"ruby2.5-rubygem-rack","product_id":"ruby2.5-rubygem-rack","product_identification_helper":{"cpe":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/ruby2.5-rubygem-rack@?upstream=rubygem-rack.src.rpm"}}},{"category":"product_version","name":"ruby2.5-rubygem-rack-doc","product":{"name":"ruby2.5-rubygem-rack-doc","product_id":"ruby2.5-rubygem-rack-doc","product_identification_helper":{"cpe":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/ruby2.5-rubygem-rack-doc@?upstream=rubygem-rack.src.rpm"}}},{"category":"product_version","name":"ruby2.5-rubygem-rack-testsuite","product":{"name":"ruby2.5-rubygem-rack-testsuite","product_id":"ruby2.5-rubygem-rack-testsuite","product_identification_helper":{"cpe":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/ruby2.5-rubygem-rack-testsuite@?upstream=rubygem-rack.src.rpm"}}},{"category":"product_version","name":"rubygem-rack","product":{"name":"rubygem-rack","product_id":"rubygem-rack","product_identification_helper":{"cpe":"cpe:2.3:a:rack_project:rack:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/rubygem-rack@?upstream=rubygem-rack.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP3","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-rack"},"product_reference":"ruby2.5-rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP3","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP3:rubygem-rack"},"product_reference":"rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP3"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-rack"},"product_reference":"ruby2.5-rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4:rubygem-rack"},"product_reference":"rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-rack"},"product_reference":"ruby2.5-rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5:rubygem-rack"},"product_reference":"rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP6","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-rack"},"product_reference":"ruby2.5-rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP6","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP6:rubygem-rack"},"product_reference":"rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP6"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP7","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-rack"},"product_reference":"ruby2.5-rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rack as component of SUSE Linux Enterprise High Availability Extension 15 SP7","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP7:rubygem-rack"},"product_reference":"rubygem-rack","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:ruby2.5-rubygem-rack"},"product_reference":"ruby2.5-rubygem-rack","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack-doc as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:ruby2.5-rubygem-rack-doc"},"product_reference":"ruby2.5-rubygem-rack-doc","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"ruby2.5-rubygem-rack-testsuite as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:ruby2.5-rubygem-rack-testsuite"},"product_reference":"ruby2.5-rubygem-rack-testsuite","relates_to_product_reference":"openSUSE Leap 15.6"},{"category":"default_component_of","full_product_name":{"name":"rubygem-rack as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:rubygem-rack"},"product_reference":"rubygem-rack","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2025-49007","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-49007"}],"notes":[{"category":"general","text":"Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP3:rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP4:rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP5:rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP6:rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-rack","SUSE Linux Enterprise High Availability Extension 15 SP7:rubygem-rack","openSUSE Leap 15.6:ruby2.5-rubygem-rack","openSUSE Leap 15.6:ruby2.5-rubygem-rack-doc","openSUSE Leap 15.6:ruby2.5-rubygem-rack-testsuite","openSUSE Leap 15.6:rubygem-rack"]},"references":[{"category":"external","summary":"CVE-2025-49007","url":"https://www.suse.com/security/cve/CVE-2025-49007"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1244113 for CVE-2025-49007","url":"https://bugzilla.suse.com/1244113"}],"threats":[{"category":"impact","date":"2025-06-05T00:01:39Z","details":"moderate"}],"title":"CVE-2025-49007"}]}