5

CVE-2009-3086

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version2.1.0
RubyonrailsRails Version2.1.1
RubyonrailsRails Version2.1.2
RubyonrailsRails Version2.2.0
RubyonrailsRails Version2.2.1
RubyonrailsRails Version2.2.2
RubyonrailsRails Version2.3.2
RubyonrailsRails Version2.3.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.23% 0.805
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
http://secunia.com/advisories/36600
http://www.vupen.com/english/advisories/2009/2544
Vendor Advisory
http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
Patch
http://www.debian.org/security/2011/dsa-2260
http://www.securityfocus.com/bid/37427