Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY4OGMtM3g0OS02cnFq

rack-protection gem timing attack vulnerability when validating CSRF token

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Permalink: https://github.com/advisories/GHSA-688c-3x49-6rqj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTY4OGMtM3g0OS02cnFq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 6 years ago
Updated: 8 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-688c-3x49-6rqj, CVE-2018-1000119
References:

Repository: https://github.com/sinatra/rack-protection
Blast Radius: 30.1

Affected Packages

rubygems:rack-protection

Dependent packages: 55
Dependent repositories: 127,710
Downloads: 347,644,425 total
Affected Version Ranges: >= 2.0.0.beta1, <= 2.0.0.rc3, < 1.5.5
Fixed in: 2.0.0, 1.5.5
All affected versions: 0.1.0, 1.0.0, 1.1.2, 1.1.3, 1.1.4, 1.2.0, 1.3.1, 1.3.2, 1.4.0, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.1.0, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.1.0, 3.2.0, 4.0.0
All unaffected versions: