RubySec

Providing security resources for the Ruby community

CVE-2013-0263 (rack): CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions

ADVISORIES

GEM

rack

SEVERITY

CVSS v2: 5.1

PATCHED VERSIONS

  • ~> 1.1.6
  • ~> 1.2.8
  • ~> 1.3.10
  • ~> 1.4.5
  • >= 1.5.2

DESCRIPTION

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.