CVE-2018-1000119 – rack-protection

Package

Manager: gem
Name: rack-protection
Vulnerable Version: >=0 <1.5.5 || >=2.0.0.beta1 <2.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0045 pctl0.62742

Details

rack-protection gem timing attack vulnerability when validating CSRF token Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Metadata

Created: 2018-03-07T22:22:22Z
Modified: 2023-08-29T15:23:28Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/03/GHSA-688c-3x49-6rqj/GHSA-688c-3x49-6rqj.json
CWE IDs: ["CWE-203"]
Alternative ID: GHSA-688c-3x49-6rqj
Finding: F026
Auto approve: 1