ID CVE-2015-7576
Summary The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
References
Vulnerable Configurations
  • Ruby on Rails 5.0.0 Beta 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:5.0.0:beta1
  • Ruby On Rails 4.2.5 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.5:rc2
  • Ruby On Rails 4.2.5 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.5:rc1
  • Ruby on Rails 4.2.5
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.5
  • Ruby On Rails 4.2.4 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.4:rc1
  • Ruby on Rails 4.2.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.4
  • Ruby on Rails 4.2.3 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.3:rc1
  • Ruby on Rails 4.2.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.3
  • Ruby on Rails 4.2.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.2
  • Ruby on Rails 4.2.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.1
  • Ruby on Rails 4.2.1 Release Candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.1:rc4
  • Ruby on Rails 4.2.1 Release Candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.1:rc3
  • Ruby on Rails 4.2.1 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.1:rc2
  • Ruby on Rails 4.2.1 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.1:rc1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0
  • Ruby on Rails 4.2.0 Release Candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:rc3
  • Ruby on Rails 4.2.0 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:rc2
  • Ruby on Rails 4.2.0 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:rc1
  • Ruby on Rails 4.2.0 Beta 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:beta4
  • Ruby on Rails 4.2.0 Beta 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:beta3
  • Ruby on Rails 4.2.0 Beta 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:beta2
  • Ruby on Rails 4.2.0 beta 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.2.0:beta1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14
  • Ruby On Rails 4.1.14 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14:rc2
  • Ruby On Rails 4.1.14 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.14:rc1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.13
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.13
  • Ruby On Rails 4.1.13 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.13:rc1
  • Ruby On Rails 4.1.12 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.12:rc1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.12
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.12
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.10
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.10
  • Ruby On Rails 4.1.10 Release Candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.10:rc4
  • Ruby On Rails 4.1.10 Release Candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.10:rc3
  • Ruby On Rails 4.1.10 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.10:rc2
  • Ruby On Rails 4.1.10 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.10:rc1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.9
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.9
  • Ruby On Rails 4.1.9 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.9:rc1
  • Ruby on Rails 4.1.8
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.8
  • Ruby On Rails 4.1.7.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.7.1
  • Ruby on Rails Ruby on Rails 4.1.7
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.7
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.6
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.6
  • Ruby On Rails 4.1.6 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.6:rc2
  • Ruby on Rails 4.1.6 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.6:rc1
  • Ruby on Rails 4.1.5
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.5
  • Ruby on Rails 4.1.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.4
  • Ruby on Rails 4.1.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.3
  • Ruby on Rails 4.1.2 Release Candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.2:rc3
  • Ruby on Rails 4.1.2 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.2:rc2
  • Ruby on Rails 4.1.2 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.2:rc1
  • Ruby on Rails 4.1.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.2
  • Ruby on Rails 4.1.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.1
  • Ruby on Rails 4.1.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.0
  • Ruby On Rails 4.1.0 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.0:rc2
  • Ruby On Rails 4.1.0 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.0:rc1
  • Ruby On Rails 4.1.0 Beta 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.0:beta2
  • Ruby on Rails 4.1.0 beta 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.0:beta1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10
  • cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2
  • Ruby on Rails 4.0.10 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc1
  • Ruby on Rails 4.0.9
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.9
  • Ruby on Rails 4.0.8
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.8
  • Ruby on Rails 4.0.7
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.7
  • Ruby on Rails 4.0.6 Release Candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.6:rc3
  • Ruby on Rails 4.0.6 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.6:rc2
  • Ruby on Rails 4.0.6 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.6:rc1
  • Ruby on Rails 4.0.6
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.6
  • Ruby on Rails 4.0.5
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.5
  • Ruby On Rails 4.0.4 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.4:rc1
  • Ruby on Rails 4.0.4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.4
  • Ruby on Rails 4.0.3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.3
  • Ruby on Rails 4.0.2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.2
  • Ruby on Rails 4.0.1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.1
  • Ruby on Rails 4.0.1 Release Candidate 4
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.1:rc4
  • Ruby on Rails 4.0.1 Release Candidate 3
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.1:rc3
  • Ruby on Rails 4.0.1 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.1:rc2
  • Ruby on Rails 4.0.1 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.1:rc1
  • Ruby on Rails 4.0.0
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.0
  • Ruby on Rails 4.0.0 Release Candidate 2
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.0:rc2
  • Ruby on Rails 4.0.0 Release Candidate 1
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.0:rc1
  • Ruby on Rails 4.0.0 Beta
    cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.0:beta
  • cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22
    cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.22
CVSS
Base: 4.3 (as of 14-03-2016 - 10:55)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-CB30088B06.NASL
    description Security fix for CVE-2015-7576 CVE-2016-0753 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89614
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89614
    title Fedora 22 : rubygem-activesupport-4.2.0-4.fc22 (2016-cb30088b06)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3464.NASL
    description Multiple security issues have been discovered in the Ruby on Rails web application development framework, which may result in denial of service, cross-site scripting, information disclosure or bypass of input validation.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88499
    published 2016-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88499
    title Debian DSA-3464-1 : rails - security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-3EDE04CD79.NASL
    description Security fix for CVE-2015-7576 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89523
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89523
    title Fedora 23 : rubygem-activesupport-4.2.3-3.fc23 (2016-3ede04cd79)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-159.NASL
    description This update for rubygem-actionpack-4_2, rubygem-actionview-4_2, rubygem-activemodel-4_2, rubygem-activerecord-4_2, rubygem-activesupport-4_2 fixes the following issues : - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (boo#963329) - CVE-2016-0752: directory traversal and information leak in Action View (boo#963332) - CVE-2015-7581: unbounded memory growth DoS via wildcard controller routes (boo#963335) - CVE-2016-0751: rubygem-actionpack: Object Leak DoS (boo#963331) - CVE-2016-0753: Input Validation Circumvention (boo#963334) - CVE-2015-7577: Nested attributes rejection proc bypass (boo#963330)
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 88612
    published 2016-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88612
    title openSUSE Security Update : rubygem-actionpack-4_2 / rubygem-actionview-4_2 / rubygem-activemodel-4_2 / etc (openSUSE-2016-159)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_BB0EF21D0E1B461BBC3D9CBA39948888.NASL
    description Ruby on Rails blog : Rails 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, and 3.2.22.1 have been released! These contain important security fixes, and it is recommended that users upgrade as soon as possible.
    last seen 2019-02-21
    modified 2018-12-19
    plugin id 88532
    published 2016-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88532
    title FreeBSD : rails -- multiple vulnerabilities (bb0ef21d-0e1b-461b-bc3d-9cba39948888)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-604.NASL
    description Multiple vulnerabilities have been discovered in ruby-actionpack-3.2, a web-flow and rendering framework and part of Rails : CVE-2015-7576 A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack. CVE-2016-0751 A flaw was found in the way the Action Pack component performed MIME type lookups. Since queries were cached in a global cache of MIME types, an attacker could use this flaw to grow the cache indefinitely, potentially resulting in a denial of service. CVE-2016-0752 A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this flaw to render unexpected files and, possibly, execute arbitrary code. CVE-2016-2097 Crafted requests to Action View might result in rendering files from arbitrary locations, including files beyond the application's view directory. This vulnerability is the result of an incomplete fix of CVE-2016-0752. This bug was found by Jyoti Singh and Tobias Kraze from Makandra. CVE-2016-2098 If a web applications does not properly sanitize user inputs, an attacker might control the arguments of the render method in a controller or a view, resulting in the possibility of executing arbitrary ruby code. This bug was found by Tobias Kraze from Makandra and joernchen of Phenoelit. CVE-2016-6316 Andrew Carpenter of Critical Juncture discovered a cross-site scripting vulnerability affecting Action View. Text declared as 'HTML safe' will not have quotes escaped when used as attribute values in tag helpers. For Debian 7 'Wheezy', these problems have been fixed in version 3.2.6-6+deb7u3. We recommend that you upgrade your ruby-actionpack-3.2 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 93132
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93132
    title Debian DLA-604-1 : ruby-actionpack-3.2 security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-160.NASL
    description This update for rubygem-actionpack-3_2, rubygem-activesupport-3_2 fixes the following issues : - CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (boo#963329) - CVE-2016-0752: directory traversal and information leak in Action View (boo#963332) - CVE-2016-0751: rubygem-actionpack: Object Leak DoS (boo#963331) - CVE-2015-7577: Nested attributes rejection proc bypass (boo#963330)
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 88613
    published 2016-02-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88613
    title openSUSE Security Update : rubygem-actionpack-3_2 / rubygem-activesupport-3_2 (openSUSE-2016-160)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-94E71EE673.NASL
    description Security fix for CVE-2015-7581 CVE-2015-7576 CVE-2016-0751 CVE-2016-0752 CVE-2016-0753 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89583
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89583
    title Fedora 22 : rubygem-actionpack-4.2.0-3.fc22 / rubygem-activemodel-4.2.0-2.fc22 (2016-94e71ee673)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-F486068393.NASL
    description Security fix for CVE-2015-7581 Security fix for CVE-2016-0751 Security fix for CVE-2015-7576 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-10-18
    plugin id 89640
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89640
    title Fedora 23 : rubygem-actionpack-4.2.3-4.fc23 (2016-f486068393)
redhat via4
advisories
rhsa
id RHSA-2016:0296
refmap via4
bid 81803
debian DSA-3464
fedora
  • FEDORA-2016-3ede04cd79
  • FEDORA-2016-94e71ee673
  • FEDORA-2016-cb30088b06
  • FEDORA-2016-f486068393
mlist
  • [oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.
  • [ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.
sectrack 1034816
suse
  • SUSE-SU-2016:1146
  • openSUSE-SU-2016:0363
  • openSUSE-SU-2016:0372
Last major update 05-12-2016 - 22:03
Published 15-02-2016 - 21:59
Last modified 09-09-2017 - 21:29
Back to Top