logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2019-16782 rack

Package

Manager: gem
Name: rack
Vulnerable Version: >=0 <1.6.12 || >=2.0.0 <2.0.8

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

EPSS: 0.01634 pctl0.81201

Details

Possible Information Leak / Session Hijack Vulnerability in Rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. ### Impact The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. ## Releases The 1.6.12 and 2.0.8 releases are available at the normal locations. ### Workarounds There are no known workarounds. ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-session-timing-attack.patch - Patch for 1.6 series * 2-0-session-timing-attack.patch - Patch for 2.6 series ### Credits Thanks Will Leinweber for reporting this!

Metadata

Created: 2019-12-18T19:01:31Z
Modified: 2025-02-13T18:33:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hrqr-hxpp-chr3/GHSA-hrqr-hxpp-chr3.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-hrqr-hxpp-chr3
Finding: F026
Auto approve: 1