CVE-2018-1000119

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2018-1000119

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-1000119.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-1000119

Aliases

GHSA-688c-3x49-6rqj

Related

Published

2018-03-07T14:29:00Z

Modified

2024-08-01T07:50:57.834047Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

References

Affected packages

Git / github.com/sinatra/rack-protection

Affected ranges

Type: GIT
Repo: https://github.com/sinatra/rack-protection
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

a81e964e840c064c1a37b0dd165d7d5d8d5759bc

Type: GIT
Repo: https://github.com/sinatra/sinatra
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

8aa6c42ef724f93ae309fb7c5668e19ad547eceb

Affected versions

v0.*

v0.1.0

v1.*

v1.0.0

v1.1.0

v1.1.1

v1.1.2

v1.1.3

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.4.0

v1.5.0

v1.5.1

v1.5.2

v1.5.3