Lucene search

Veracode Vulnerability DatabaseVERACODE:20571

HistoryJun 21, 2019 - 4:33 a.m.

Information Disclosure Through Timing Attack

2019-06-2104:33:08

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

actionpack and activesupport is vulnerable to information disclosure. The vulnerability exists as timing attack was possible through the lack of constant time string comparison made for the message digest, causing information disclosure.

CPENameOperatorVersion
actionpackle2.2.2
activesupportle2.3.3

CPE	Name	Operator	Version
	actionpack	le	2.2.2
	activesupport	le	2.3.3

References

lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

secunia.com/advisories/36600

weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails

www.debian.org/security/2011/dsa-2260

www.securityfocus.com/bid/37427

www.vupen.com/english/advisories/2009/2544

github.com/rails/rails/commit/1f07a89c5946910fc28ea5ccd1da6af8a0f972a0

github.com/rails/rails/commit/674f780d59a5a7ec0301755d43a7b277a3ad2978

weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails/

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Related for VERACODE:20571