Vulnerability CVE-2018-1000119
Published: 2018-03-07

Description:
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Type:

CWE-200

 (Information Exposure)

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Sinatrarb -> Sinatra 
Sinatrarb -> Rack-protection 

 References:
https://access.redhat.com/errata/RHSA-2018:1060
https://github.com/sinatra/rack-protection/pull/98
https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb#commitcomment-27964109
https://www.debian.org/security/2018/dsa-4247
Copyright 2024, cxsecurity.com

 

Back to Top