Lucene search

K
ubuntucveUbuntu.comUB:CVE-2015-7576
HistoryFeb 16, 2016 - 12:00 a.m.

CVE-2015-7576

2016-02-1600:00:00
ubuntu.com
ubuntu.com
12

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

0.019 Low

EPSS

Percentile

88.6%

The http_basic_authenticate_with method in
actionpack/lib/action_controller/metal/http_authentication.rb in the Basic
Authentication implementation in Action Controller in Ruby on Rails before
3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x
before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying
credentials, which makes it easier for remote attackers to bypass
authentication by measuring timing differences.

Notes

Author Note
seth-arnold In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward precise_ruby-actionpack-2.3 – documentation is buggy but doesn’t contain an implmentation itself.
OSVersionArchitecturePackageVersionFilename
ubuntu15.04noarchrails<Β 2:4.1.8-1+deb8u1build0.15.04.1UNKNOWN

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

0.019 Low

EPSS

Percentile

88.6%