CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
55.3%
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a
timing attack vulnerability in the CSRF token checking that can result in
signatures can be exposed. This attack appear to be exploitable via network
connectivity to the ruby application. This vulnerability appears to have
been fixed in 1.5.5 and 2.0.0.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ruby-rack-protection | < 1.5.3-2+deb9u1build0.18.04.1 | UNKNOWN |
ubuntu | 16.04 | noarch | ruby-rack-protection | < 1.5.3-2+deb9u1build0.16.04.1 | UNKNOWN |
github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
launchpad.net/bugs/cve/CVE-2018-1000119
nvd.nist.gov/vuln/detail/CVE-2018-1000119
security-tracker.debian.org/tracker/CVE-2018-1000119
snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395
snyk.io/vuln/SNYK-RUBY-SINATRA-20470
www.cve.org/CVERecord?id=CVE-2018-1000119
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
55.3%