Lucene search

Veracode Vulnerability DatabaseVERACODE:20571

HistoryJun 21, 2019 - 4:33 a.m.

Information Disclosure Through Timing Attack

2019-06-2104:33:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

0.006 Low

EPSS

Percentile

77.7%

JSON

actionpack and activesupport is vulnerable to information disclosure. The vulnerability exists as timing attack was possible through the lack of constant time string comparison made for the message digest, causing information disclosure.

CPENameOperatorVersion
actionpackle2.2.2
activesupportle2.3.3

CPE	Name	Operator	Version
	actionpack	le	2.2.2
	activesupport	le	2.3.3

References

lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

secunia.com/advisories/36600

weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails

www.debian.org/security/2011/dsa-2260

www.securityfocus.com/bid/37427

www.vupen.com/english/advisories/2009/2544

github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0

github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978

weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails/

0.006 Low

EPSS

Percentile

77.7%

JSON

Related for VERACODE:20571