5.9

CVE-2018-1000119

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
SinatrarbRack-protection Version < 1.5.5
SinatrarbRack-protection Version2.0.0 Updaterc1
SinatrarbRack-protection Version2.0.0 Updaterc2
SinatrarbRack-protection Version2.0.0 Updaterc3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.49% 0.826
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor.

https://access.redhat.com/errata/RHSA-2018:1060
Third Party Advisory
https://github.com/sinatra/rack-protection/pull/98
Third Party Advisory
Issue Tracking
https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb#commitcomment-27964109
Patch
Third Party Advisory
Issue Tracking
https://www.debian.org/security/2018/dsa-4247