GHSA-xc85-32mf-xpv8

Source

https://github.com/advisories/GHSA-xc85-32mf-xpv8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xc85-32mf-xpv8/GHSA-xc85-32mf-xpv8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-xc85-32mf-xpv8

Aliases

CVE-2013-0263

Published

2022-05-05T02:48:42Z

Modified

2024-02-20T05:33:47.195112Z

Summary

Rack arbitrary code execution via timing attack

Details

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

References

Affected packages

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.5.0

Fixed

1.5.2

Affected versions

1.*

1.5.0

1.5.1

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.4.0

Fixed

1.4.5

Affected versions

1.*

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.3.0

Fixed

1.3.10

Affected versions

1.*

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.2.0

Fixed

1.2.8

Affected versions

1.*

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.1.0

Fixed

1.1.6

Affected versions

1.*

1.1.0

1.1.1.pre

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5