CVE-2013-0263

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Related CPE's

arack_projectrack1.5.1*******

arack_projectrack1.5.0*******

arack_projectrack1.4.4*******

arack_projectrack1.4.2*******

arack_projectrack1.4.3*******

arack_projectrack1.4.0*******

arack_projectrack1.4.1*******

arack_projectrack1.3.1*******

arack_projectrack1.3.7*******

arack_projectrack1.3.8*******

References

https://gist.github.com/codahale/f9f3781f7b54985bee94

https://bugzilla.redhat.com/show_bug.cgi?id=909071

52134

Vendor Advisory

https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J

http://rack.github.com/

Vendor Advisory

89939

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07

https://twitter.com/coda/statuses/299732877745197056

https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

52033

Vendor Advisory

52774

RHSA-2013:0686

openSUSE-SU-2013:0462

DSA-2783

https://puppet.com/security/cve/cve-2013-0263

https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ

https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ

https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

CvssV3 impact

Could not find any metrics

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:H/Au:N/C:P/I:P/A:P

AccessVector

NETWORK

AccessComplexity

HIGH

Authentication

NONE

ConfidentialityImpact

PARTIAL

IntegrityImpact

PARTIAL

AvailabilityImpact

PARTIAL

BaseScore

5.099999904632568

Created by Yello
About Severity.io