8 High
AI Score
Confidence
Low
5.1 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:H/Au:N/C:P/I:P/A:P
0.084 Low
EPSS
Percentile
94.2%
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
rhn.redhat.com/errata/RHSA-2013-0686.html
secunia.com/advisories/52033
secunia.com/advisories/52134
secunia.com/advisories/52774
www.debian.org/security/2013/dsa-2783
www.osvdb.org/89939
bugzilla.redhat.com/show_bug.cgi?id=909071
gist.github.com/codahale/f9f3781f7b54985bee94
github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
groups.google.com/forum/
groups.google.com/forum/
groups.google.com/forum/
groups.google.com/forum/
puppet.com/security/cve/cve-2013-0263
rack.github.com/
twitter.com/coda/statuses/299732877745197056