GHSA-xc85-32mf-xpv8

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xc85-32mf-xpv8/GHSA-xc85-32mf-xpv8.json
Aliases
  • CVE-2013-0263
Published
2022-05-05T02:48:42Z
Modified
2022-06-17T21:48:43.788130Z
Details

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

References

Affected packages

RubyGems / rack

rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.5.0
Fixed
1.5.2

Affected versions

1.*

1.5.0
1.5.1

RubyGems / rack

rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.4.0
Fixed
1.4.5

Affected versions

1.*

1.4.0
1.4.1
1.4.2
1.4.3
1.4.4

RubyGems / rack

rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.3.0
Fixed
1.3.10

Affected versions

1.*

1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9

RubyGems / rack

rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.2.0
Fixed
1.2.8

Affected versions

1.*

1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7

RubyGems / rack

rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.1.0
Fixed
1.1.6

Affected versions

1.*

1.1.0
1.1.1
1.1.1.pre
1.1.2
1.1.3
1.1.4
1.1.5