GHSA-q58g-455p-8vw9

Suggest an improvement
Source
https://github.com/advisories/GHSA-q58g-455p-8vw9
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-q58g-455p-8vw9/GHSA-q58g-455p-8vw9.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-q58g-455p-8vw9
Aliases
Published
2019-12-16T19:30:17Z
Modified
2023-11-01T05:30:06.871878Z
Severity
  • 5.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
In RubyGem excon, interrupted Persistent Connections May Leak Response Data
Details

Impact

There was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.

Patches

The problem has been patched in 0.71.0, users should upgrade to this or a newer version (if one exists).

Workarounds

Users can workaround the problem by disabling persistent connections, though this may cause performance implications.

References

See the patch for further details.

For more information

If you have any questions or comments about this advisory: * Open an issue in excon/issues * Email us at geemus+github@gmail.com

Database specific
{
    "nvd_published_at": "2019-12-16T20:15:00Z",
    "cwe_ids": [
        "CWE-362",
        "CWE-664"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2019-12-16T19:28:10Z"
}
References

Affected packages

RubyGems / excon

Package

Name
excon
Purl
pkg:gem/excon

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.71.0

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.7
0.0.8
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.6
0.2.7
0.2.8
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.4.0
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.8.0
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.10.0
0.10.1
0.11.0
0.12.0
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.14.0
0.14.1
0.14.2
0.14.3
0.15.0
0.15.1
0.15.2
0.15.3
0.15.4
0.15.5
0.16.0
0.16.1
0.16.2
0.16.3
0.16.4
0.16.5
0.16.7
0.16.8
0.16.9
0.16.10
0.17.0
0.18.0
0.18.1
0.18.2
0.18.3
0.18.4
0.18.5
0.19.0
0.19.1
0.19.2
0.19.3
0.19.4
0.19.5
0.20.0
0.20.1
0.21.0
0.22.0
0.22.1
0.23.0
0.24.0
0.25.0
0.25.1
0.25.2
0.25.3
0.26.0
0.27.0
0.27.1
0.27.2
0.27.3
0.27.4
0.27.5
0.27.6
0.28.0
0.29.0
0.30.0
0.31.0
0.32.0
0.32.1
0.33.0
0.34.0
0.35.0
0.36.0
0.37.0
0.38.0
0.39.0
0.39.1
0.39.2
0.39.3
0.39.4
0.39.5
0.39.6
0.40.0
0.41.0
0.42.0
0.42.1
0.43.0
0.44.0
0.44.1
0.44.2
0.44.3
0.44.4
0.45.0
0.45.1
0.45.2
0.45.3
0.45.4
0.46.0
0.47.0
0.48.0
0.49.0
0.50.0
0.50.1
0.51.0
0.52.0
0.53.0
0.54.0
0.55.0
0.56.0
0.57.0
0.57.1
0.58.0
0.59.0
0.60.0
0.61.0
0.62.0
0.63.0
0.64.0
0.65.0
0.66.0
0.67.0
0.68.0
0.69.0
0.69.1
0.70.0