Description
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Related CPE's
a
rack_project
rack
28
References
Vendor Advisory
http://secunia.com/advisories/52033
Vendor Advisory
http://secunia.com/advisories/52134
Vendor Advisory
CVSS impact metrics
AV:N/AC:H/Au:N/C:P/I:P/A:P
5.1 · Medium
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Modified
Published
2013-02-08T20:55:01.640
12 years agoLast modified
2023-02-13T04:40:27.140
2 years ago