Published: 08/02/2013 Updated: 13/02/2023

CVSS v2 Base Score: 5.1 | Impact Score: 6.4 | Exploitability Score: 4.9

VMScore: 455

Vector: AV:N/AC:H/Au:N/C:P/I:P/A:P

Rack::Session::Cookie in Rack 1.5.x prior to 1.5.2, 1.4.x prior to 1.4.5, 1.3.x prior to 1.3.10, 1.2.x prior to 1.2.8, and 1.1.x prior to 1.1.6 allows remote malicious users to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Vulnerable Product	Search on Vulmon	Subscribe to Product
rack project rack 1.5.1
rack project rack 1.5.0
rack project rack 1.4.4
rack project rack 1.4.2
rack project rack 1.4.3
rack project rack 1.4.0
rack project rack 1.4.1
rack project rack 1.3.1
rack project rack 1.3.7
rack project rack 1.3.8
rack project rack 1.3.2
rack project rack 1.3.5
rack project rack 1.3.9
rack project rack 1.3.6
rack project rack 1.3.0
rack project rack 1.3.4
rack project rack 1.3.3
rack project rack 1.2.6
rack project rack 1.2.3
rack project rack 1.2.0
rack project rack 1.2.7
rack project rack 1.2.1
rack project rack 1.2.4
rack project rack 1.2.2
rack project rack 1.1.0
rack project rack 1.1.4
rack project rack 1.1.5
rack project rack 1.1.6

Synopsis Moderate: Red Hat OpenShift Enterprise 112 update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Enterprise 112, which fixes several security issues, isnow availableThe Red Hat Security Response Team has rated this update as having moderatesecurity impact Common Vulnerabili ...

Synopsis Moderate: Subscription Asset Manager 121 update Type/Severity Security Advisory: Moderate Topic Red Hat Subscription Asset Manager 121, which fixes several securityissues, multiple bugs, and adds various enhancements, is now availableThe Red Hat Security Response Team has rated this update as ...

Several vulnerabilities were discovered in Rack, a modular Ruby webserver interface The Common Vulnerabilites and Exposures project identifies the following vulnerabilities: CVE-2011-5036 Rack computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers ...

Debian Bug report logs - #700173 ruby-rack: CVE-2013-0262: Path sanitization information disclosure Package: src:ruby-rack; Maintainer for src:ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 9 Feb 2013 ...

Debian Bug report logs - #698440 ruby-rack: CVE-2012-6109 CVE-2013-0184 CVE-2013-0183 Package: ruby-rack; Maintainer for ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for ruby-rack is src:ruby-rack (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@inutil ...

Debian Bug report logs - #700226 ruby-rack: CVE-2013-0263: Timing attack in cookie sessions Package: src:ruby-rack; Maintainer for src:ruby-rack is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Sat, 9 Feb 2013 13:18:02 ...

Rack fork to accomodate backports to 1.4.7

Rack, a modular Ruby webserver interface <img src=“securetravis-ciorg/rack/rackpng” alt=“Build Status” /> <img src=“gemnasiumcom/rack/rackpng” alt=“Dependency Status” />¶ ↑ Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby

Rack middleware to prevent timing attacks

rack-timesec A rack middleware to prevent timing attacks In a timing attack an attacker times how long a query takes to discover sensitive information about the application In the past, timing attacks have been known to reveal, usernames credentials (or hashes thereof) cryptographic keys session cookies (eg CVE-2013-0263) mapping authorization or firewall rules etc An au

RACK Debian/Ubuntu packaging

Rack, a modular Ruby webserver interface <img src=“securetravis-ciorg/rack/rackpng” alt=“Build Status” /> <img src=“gemnasiumcom/rack/rackpng” alt=“Dependency Status” />¶ ↑ Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby

Rack, a modular Ruby webserver interface <img src=“securetravis-ciorg/rack/racksvg” alt=“Build Status” /> <img src=“gemnasiumcom/rack/racksvg” alt=“Dependency Status” />¶ ↑ Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby

NVD-CWE-noinfo https://gist.github.com/codahale/f9f3781f7b54985bee94 https://bugzilla.redhat.com/show_bug.cgi?id=909071 http://secunia.com/advisories/52134 https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J http://rack.github.com/http://www.osvdb.org/89939 https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07 https://twitter.com/coda/statuses/299732877745197056 https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11 http://secunia.com/advisories/52033 http://secunia.com/advisories/52774 http://rhn.redhat.com/errata/RHSA-2013-0686.html http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html http://www.debian.org/security/2013/dsa-2783 https://puppet.com/security/cve/cve-2013-0263 https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ https://access.redhat.com/errata/RHSA-2013:0638 https://www.debian.org/security/./dsa-2783 https://nvd.nist.gov https://github.com/Leadformance/rack

CVE-2013-0263

Vulnerability Summary

Vendor Advisories

Github Repositories

References

Vulmon Search

About

Products

Connect