5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
actionpack and activesupport is vulnerable to information disclosure. The vulnerability exists as timing attack was possible through the lack of constant time string comparison made for the message digest, causing information disclosure.
CPE | Name | Operator | Version |
---|---|---|---|
actionpack | le | 2.2.2 | |
activesupport | le | 2.3.3 |
lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
secunia.com/advisories/36600
weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails
www.debian.org/security/2011/dsa-2260
www.securityfocus.com/bid/37427
www.vupen.com/english/advisories/2009/2544
github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0
github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978
weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails/