ID CVE-2013-0263
Summary Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
References
Vulnerable Configurations
  • cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.1.5:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:rack_project:rack:1.1.6:*:*:*:*:*:*:*
    cpe:2.3:a:rack_project:rack:1.1.6:*:*:*:*:*:*:*
CVSS
Base: 5.1 (as of 13-08-2018 - 21:47)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
cvss-vector via4 AV:N/AC:H/Au:N/C:P/I:P/A:P
redhat via4
advisories
rhsa
id RHSA-2013:0686
rpms
  • jenkins-0:1.502-1.el6op
  • openshift-origin-cartridge-jenkins-1.4-0:1.0.3-1.el6op
  • ruby193-rubygem-rack-1:1.4.1-4.el6
  • rubygem-rack-1:1.3.0-4.el6op
  • candlepin-0:0.7.24-1.el6_3
  • candlepin-devel-0:0.7.24-1.el6_3
  • candlepin-selinux-0:0.7.24-1.el6_3
  • candlepin-tomcat6-0:0.7.24-1.el6_3
  • katello-common-0:1.2.1.1-1h.el6_4
  • katello-configure-0:1.2.3.1-4h.el6_4
  • katello-glue-candlepin-0:1.2.1.1-1h.el6_4
  • katello-headpin-0:1.2.1.1-1h.el6_4
  • katello-headpin-all-0:1.2.1.1-1h.el6_4
  • ruby-nokogiri-0:1.5.0-0.9.beta4.el6cf
  • rubygem-actionpack-1:3.0.10-12.el6cf
  • rubygem-activemodel-0:3.0.10-3.el6cf
  • rubygem-activemodel-doc-0:3.0.10-3.el6cf
  • rubygem-delayed_job-0:2.1.4-3.el6cf
  • rubygem-delayed_job-doc-0:2.1.4-3.el6cf
  • rubygem-json-0:1.7.3-2.el6_3
  • rubygem-json-debuginfo-0:1.7.3-2.el6_3
  • rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf
  • rubygem-nokogiri-debuginfo-0:1.5.0-0.9.beta4.el6cf
  • rubygem-nokogiri-doc-0:1.5.0-0.9.beta4.el6cf
  • rubygem-rack-1:1.3.0-4.el6cf
  • rubygem-rails_warden-0:0.5.5-2.el6cf
  • rubygem-rails_warden-doc-0:0.5.5-2.el6cf
  • rubygem-rdoc-0:3.8-6.el6cf
  • rubygem-rdoc-doc-0:3.8-6.el6cf
  • thumbslug-0:0.0.28.1-1.el6_4
  • thumbslug-selinux-0:0.0.28.1-1.el6_4
refmap via4
confirm
debian DSA-2783
misc
osvdb 89939
secunia
  • 52033
  • 52134
  • 52774
suse openSUSE-SU-2013:0462
Last major update 13-08-2018 - 21:47
Published 08-02-2013 - 20:55
Last modified 13-08-2018 - 21:47
Back to Top