Will Leinweber

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 1.6.12 Rack versions prior to 2.0.8 **Description** There's a possible information leak / session hijack issue in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the `session id`. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that `session id`. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid `session id` and hijack the session. The `session id` itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. **Recommendations** For versions prior to 1.6.12, apply the 1-6-session-timing-attack.patch to fix the issue. For versions prior to 2.0.8, apply the 2-0-session-timing-attack.patch to fix the issue. As a temporary workaround, consider implementing a secure comparison for the `session id` in the backing store to minimize the risk of exploitation.