RubySec

Providing security resources for the Ruby community

CVE-2013-0263 (rack): Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution

ADVISORIES

GEM

rack

SEVERITY

CVSS v2: 5.1

PATCHED VERSIONS

  • ~> 1.1.6
  • ~> 1.2.8
  • ~> 1.3.10
  • ~> 1.4.5
  • >= 1.5.2

DESCRIPTION

Rack contains a flaw that is due to an error in the Rack::Session::Cookie function. Users of the Marshal session cookie encoding (the default), are subject to a timing attack that may lead an attacker to execute arbitrary code. This attack is more practical against ‘cloud’ users as intra-cloud latencies are sufficiently low to make the attack viable.