CVE-2019-16782

Name of the Vulnerable Software and Affected Versions Rack versions prior to 1.6.12 Rack versions prior to 2.0.8

Description There's a possible information leak / session hijack issue in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

Recommendations For versions prior to 1.6.12, apply the 1-6-session-timing-attack.patch to fix the issue. For versions prior to 2.0.8, apply the 2-0-session-timing-attack.patch to fix the issue. As a temporary workaround, consider implementing a secure comparison for the session id in the backing store to minimize the risk of exploitation.