CVE-2018-1000119

EPSS 0.43%
Veröffentlicht 07.03.2018 14:29:00
Zuletzt bearbeitet 21.11.2024 03:39:41
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Sinatrarb ≫ Rack-protection Version < 1.5.5

Sinatrarb ≫ Rack-protection Version2.0.0 Updaterc1

Sinatrarb ≫ Rack-protection Version2.0.0 Updaterc2

Sinatrarb ≫ Rack-protection Version2.0.0 Updaterc3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.43%	0.616

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

https://access.redhat.com/errata/RHSA-2018:1060

Third Party Advisory

https://github.com/sinatra/rack-protection/pull/98

Third Party Advisory

Issue Tracking

https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb#commitcomment-27964109

Patch

Third Party Advisory

Issue Tracking

https://www.debian.org/security/2018/dsa-4247

https://nvd.nist.gov/vuln/detail/CVE-2018-1000119

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-1000119

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-1000119

EUVD