Published: 08/09/2009 Updated: 08/08/2019

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

A certain algorithm in Ruby on Rails 2.1.0 up to and including 2.2.2, and 2.3.x prior to 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote malicious users to forge a digest via multiple attempts.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rubyonrails rails 2.1.1
rubyonrails rails 2.3.2
rubyonrails rails 2.1.0
rubyonrails rails 2.2.2
rubyonrails rails 2.2.0
rubyonrails rails 2.1.2
rubyonrails rails 2.2.1
rubyonrails rails 2.3.3

Debian Bug report logs - #558685 rails: [CVE-2009-4214] Cross-site scripting (XSS) vulnerability in the strip_tags Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Michael Gilbert < ...

Debian Bug report logs - #545063 Security fixes (incl CVE-2009-3009) Package: rails; Maintainer for rails is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for rails is src:rails (PTS, buildd, popcon) Reported by: Jan Lühr <yanosz@gmxnet> Date: Fri, 4 Sep 2009 18:18:0 ...

Two vulnerabilities were discovered in Ruby on Rails, a web application framework The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2009-3086 The cookie store may be vulnerable to a timing attack, potentially allowing remote attackers to forge message digests CVE-2009-4214 A cross-site scripting ...

CWE-200 http://www.vupen.com/english/advisories/2009/2544 http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails http://secunia.com/advisories/36600 http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html http://www.securityfocus.com/bid/37427 http://www.debian.org/security/2011/dsa-2260 https://nvd.nist.gov https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=558685 https://www.debian.org/security/./dsa-2260

CVE-2009-3086

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect