CVE-2019-16779 – excon

Package

Manager: gem
Name: excon
Vulnerable Version: >=0 <0.71.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00414 pctl0.60752

Details

In RubyGem excon, interrupted Persistent Connections May Leak Response Data ### Impact There was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this. ### Patches The problem has been patched in 0.71.0, users should upgrade to this or a newer version (if one exists). ### Workarounds Users can workaround the problem by disabling persistent connections, though this may cause performance implications. ### References See the [patch](https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29) for further details. ### For more information If you have any questions or comments about this advisory: * Open an issue in [excon/issues](https://github.com/excon/excon/issues) * Email us at [geemus+github@gmail.com](mailto:geemus+github@gmail.com)

Metadata

Created: 2019-12-16T19:30:17Z
Modified: 2021-10-29T14:10:27Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-q58g-455p-8vw9/GHSA-q58g-455p-8vw9.json
CWE IDs: ["CWE-362", "CWE-664"]
Alternative ID: GHSA-q58g-455p-8vw9
Finding: F124
Auto approve: 1