Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in rack-2.0.7.gem

Summary IBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of rack-2.0.7.gem Vulnerability Details CVEID:CVE-2022-44572 DESCRIPTION: Rack is vulnerable to a denial of service, caused by a regular expression denial of service ReDoS flaw in the multipart parsing component...

Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Rack vulnerabilities (USN-5253-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-5253-1 advisory. It was discovered that Rack insecurely handled session ids. An unauthenticated remote attacker could possibly use this issue to...

Home Assistant < 0.57 XSS Vulnerability

Home Assistant is prone to a cross-site scription XSS vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Ubuntu: Security Advisory (USN-5253-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

USN-5253-1: Rack vulnerabilities

It was discovered that Rack insecurely handled session ids. An unauthenticated remote attacker could possibly use this issue to perform a timing attack and hijack sessions. CVE-2019-16782 It was discovered that Rack was incorrectly handling cookies during parsing, not validating them or performin...

Mageia: Security Advisory (MGASA-2020-0252)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2020-16782

CVE-2020-16782 entry is rejected/not used; this ID does not represent an active vulnerability.

CVE-2020-16782

...

GHSA-CVW2-XJ8R-MJF7 Activerecord-session_store Vulnerable to Timing Attack

The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a...

Activerecord-session_store Vulnerable to Timing Attack

The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a...

Information Disclosure

activerecord-sessionstore is vulnerable to information disclosure. The package does not use a constant-time approach when validating a session ID. Remote attackers are able to analyze the response time to discover session ID. This vulnerability is related issue to CVE-2019-16782...

activerecord-session_store Timing Attack

The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a...

CVE-2019-16782

creationtimestamp| type| source ---|---|--- 2021-03-05 12:47:27+00:00| seen| https://t.me/cibsecurity/24503 2024-03-15 15:22:07+00:00| seen| https://t.me/ctinow/208841 2025-02-14 10:08:10+00:00| seen| Telegram/0UKdrEe-YbJuuiI55HGsNMM2UUSSS6hdvPpLoO34gdgR-WA...

CVE-2019-25025

The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a...

Design/Logic Flaw

The activerecord-sessionstore aka Active Record Session Store component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a...

Observable Timing Discrepancy

The activerecord-sessionstore aka Active Record Session Store component for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a...

MGASA-2020-0252 Updated ruby-rack packages fix security vulnerability

Updated ruby-rack packages fix security vulnerabilities: There's a possible information leak / session hijack vulnerability in RackRubyGem rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a...

Updated ruby-rack packages fix security vulnerability

Updated ruby-rack packages fix security vulnerabilities: There's a possible information leak / session hijack vulnerability in RackRubyGem rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a...

RHEL 8 : CloudForms 5.0.6 (RHSA-2020:2480)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:2480 advisory. Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments...

Fedora: Security Advisory for rubygem-rack (FEDORA-2020-57fc0d0156)

The remote host is missing an update for the Copyright C 2020 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...