GHSA-688c-3x49-6rqj

Source

https://github.com/advisories/GHSA-688c-3x49-6rqj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-688c-3x49-6rqj/GHSA-688c-3x49-6rqj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-688c-3x49-6rqj

Aliases

CVE-2018-1000119

Published

2018-03-07T22:22:22Z

Modified

2024-02-16T07:58:58.375721Z

Severity

5.9 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

rack-protection gem timing attack vulnerability when validating CSRF token

Details

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

References

Affected packages

RubyGems / rack-protection

Package

Name: rack-protection
Purl: pkg:gem/rack-protection

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.5.5

Affected versions

0.*

0.1.0

1.*

1.0.0

1.1.2

1.1.3

1.1.4

1.2.0

1.3.1

1.3.2

1.4.0

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

RubyGems / rack-protection

Package

Name: rack-protection
Purl: pkg:gem/rack-protection

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0.beta1

Fixed

2.0.0

Affected versions

2.*

2.0.0.beta1

2.0.0.beta2

2.0.0.rc1

2.0.0.rc2

2.0.0.rc5

2.0.0.rc6

Database specific

{
    "last_known_affected_version_range": "<= 2.0.0.rc3"
}