GHSA-688c-3x49-6rqj

Suggest an improvement
Source
https://github.com/advisories/GHSA-688c-3x49-6rqj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-688c-3x49-6rqj/GHSA-688c-3x49-6rqj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-688c-3x49-6rqj
Aliases
Published
2018-03-07T22:22:22Z
Modified
2023-11-01T05:43:54.098205Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
rack-protection gem timing attack vulnerability when validating CSRF token
Details

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

References

Affected packages

RubyGems / rack-protection

Package

Name
rack-protection
Purl
pkg:gem/rack-protection

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.5

Affected versions

0.*

0.1.0

1.*

1.0.0
1.1.2
1.1.3
1.1.4
1.2.0
1.3.1
1.3.2
1.4.0
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4

RubyGems / rack-protection

Package

Name
rack-protection
Purl
pkg:gem/rack-protection

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0.beta1
Fixed
2.0.0

Affected versions

2.*

2.0.0.beta1
2.0.0.beta2
2.0.0.rc1
2.0.0.rc2
2.0.0.rc5
2.0.0.rc6

Database specific

{
    "last_known_affected_version_range": "<= 2.0.0.rc3"
}