PT-2013-2198 · Rack+1 · Rack+1

Published

2013-02-08

·

Updated

2026-03-13

·

CVE-2013-0263

CVSS v2.0

5.1

Medium

VectorAV:N/AC:H/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Rack versions 1.1.x before 1.1.6 Rack versions 1.2.x before 1.2.8 Rack versions 1.3.x before 1.3.10 Rack versions 1.4.x before 1.4.5 Rack versions 1.5.x before 1.5.2
Description The issue allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time. This is related to the Rack::Session::Cookie component.
Recommendations For Rack version 1.1.x, update to version 1.1.6 or later. For Rack version 1.2.x, update to version 1.2.8 or later. For Rack version 1.3.x, update to version 1.3.10 or later. For Rack version 1.4.x, update to version 1.4.5 or later. For Rack version 1.5.x, update to version 1.5.2 or later.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Related Identifiers

CVE-2013-0263
DSA-2783-1
GHSA-XC85-32MF-XPV8
OPENSUSE-SU-2024:10115-1
OPENSUSE-SU-2024:10406-1
OPENSUSE-SU-2024:11344-1
OPENSUSE-SU-2024:11345-1
OPENSUSE-SU-2024:11346-1
OPENSUSE-SU-2024:12119-1
OPENSUSE-SU-2024:12397-1
OPENSUSE-SU-2024:12974-1
OPENSUSE-SU-2024:13167-1
OPENSUSE-SU-2024:13726-1
OPENSUSE-SU-2024:13727-1
OPENSUSE-SU-2025:14811-1
OPENSUSE-SU-2025:14875-1
OPENSUSE-SU-2026:10286-1
OPENSUSE-SU-2026:10358-1
RHSA-2013:0638

Affected Products

Rack
Suse