PT-2018-2306 · Sinatra+2 · Rack-Protection+2

Ghost

·

Publicado

2018-03-07

·

Atualizado

2020-08-24

·

CVE-2018-1000119

CVSS v3.1

5.9

Média

VetorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier
Description The issue is related to a timing attack vulnerability in the CSRF token checking mechanism. This vulnerability can result in signatures being exposed and appears to be exploitable via network connectivity to the Ruby application. The vulnerability is associated with errors in the CSRF token checking procedure, which can allow a remote attacker to gain unauthorized access to protected information.
Recommendations For versions 1.5.4 and earlier, update to version 1.5.5. For version 2.0.0.rc3 and earlier, update to version 2.0.0.

Exploit

Correção

Information Disclosure

Side Channel Attack

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-200CWE-203

Identificadores relacionados

BDU:2019-00439
CESA-2018_1060
CVE-2018-1000119
DSA-4247-1
GHSA-688C-3X49-6RQJ
RHSA-2018:1060
RHSA-2018_1060
RHSA-2020:4366
RHSA-2021:1313

Produtos afetados

Centos
Red Hat
Rack-Protection