GitHub Advisory DatabaseGHSA-XC85-32MF-XPV8Rack arbitrary code execution via timing attack
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
94.4%
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Affected configurations
References
lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
rhn.redhat.com/errata/RHSA-2013-0686.html
www.debian.org/security/2013/dsa-2783
bugzilla.redhat.com/show_bug.cgi?id=909071
gist.github.com/codahale/f9f3781f7b54985bee94
github.com/advisories/GHSA-xc85-32mf-xpv8
github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
nvd.nist.gov/vuln/detail/CVE-2013-0263
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
EPSS
Percentile
94.4%