CVE-2020-15237 – shrine

Package

Manager: gem
Name: shrine
Vulnerable Version: >=0 <3.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00316 pctl0.54099

Details

Possible timing attack in derivation_endpoint ### Impact When using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. ### Patches The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. ### Workarounds Users of older Shrine versions can apply the following monkey-patch after loading the `derivation_endpoint` plugin: ```rb class Shrine class UrlSigner def verify_signature(string, signature) if signature.nil? fail InvalidSignature, "missing \"signature\" param" elsif !Rack::Utils.secure_compare(signature, generate_signature(string)) fail InvalidSignature, "provided signature does not match the calculated signature" end end end end ``` ### References You can read more about timing attacks [here](https://en.wikipedia.org/wiki/Timing_attack).

Metadata

Created: 2020-10-05T15:48:34Z
Modified: 2023-05-16T16:18:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/10/GHSA-5jjv-x4fq-qjwp/GHSA-5jjv-x4fq-qjwp.json
CWE IDs: ["CWE-203", "CWE-208"]
Alternative ID: GHSA-5jjv-x4fq-qjwp
Finding: F063
Auto approve: 1