CVE-2013-0263
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.4 High
AI Score
Confidence
Low
0.084 Low
EPSS
Percentile
94.4%
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Affected configurations
References
lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
rack.github.com/
rhn.redhat.com/errata/RHSA-2013-0686.html
secunia.com/advisories/52033
secunia.com/advisories/52134
secunia.com/advisories/52774
www.debian.org/security/2013/dsa-2783
www.osvdb.org/89939
bugzilla.redhat.com/show_bug.cgi?id=909071
gist.github.com/codahale/f9f3781f7b54985bee94
github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
puppet.com/security/cve/cve-2013-0263
twitter.com/coda/statuses/299732877745197056
Related
5.1 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
7.4 High
AI Score
Confidence
Low
0.084 Low
EPSS
Percentile
94.4%