PT-2013-2198 · Rack+1 · Rack+1

Publicado

2013-02-08

·

Atualizado

2026-03-13

·

CVE-2013-0263

CVSS v2.0

5.1

Média

VetorAV:N/AC:H/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Rack versions 1.1.x before 1.1.6 Rack versions 1.2.x before 1.2.8 Rack versions 1.3.x before 1.3.10 Rack versions 1.4.x before 1.4.5 Rack versions 1.5.x before 1.5.2
Description The issue allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. This is related to the Rack::Session::Cookie component.
Recommendations For Rack version 1.1.x, update to version 1.1.6 or later. For Rack version 1.2.x, update to version 1.2.8 or later. For Rack version 1.3.x, update to version 1.3.10 or later. For Rack version 1.4.x, update to version 1.4.5 or later. For Rack version 1.5.x, update to version 1.5.2 or later.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Identificadores relacionados

CVE-2013-0263
DSA-2783-1
GHSA-XC85-32MF-XPV8
OPENSUSE-SU-2024:10115-1
OPENSUSE-SU-2024:10406-1
OPENSUSE-SU-2024:11344-1
OPENSUSE-SU-2024:11345-1
OPENSUSE-SU-2024:11346-1
OPENSUSE-SU-2024:12119-1
OPENSUSE-SU-2024:12397-1
OPENSUSE-SU-2024:12974-1
OPENSUSE-SU-2024:13167-1
OPENSUSE-SU-2024:13726-1
OPENSUSE-SU-2024:13727-1
OPENSUSE-SU-2025:14811-1
OPENSUSE-SU-2025:14875-1
OPENSUSE-SU-2026:10286-1
OPENSUSE-SU-2026:10358-1
RHSA-2013:0638

Produtos afetados

Rack
Suse