CVE-2009-3086 — Sensitive Information Exposure in Rails

CWE-200 — Sensitive Information Exposure8 documents6 sources

Severity

5.0MEDIUMNVD

EPSS

0.6%

top 31.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Actionpack Project Actionpack

Timeline

PublishedSep 8

Latest updateOct 24

Description

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages3 packages

▶Debianrubyonrails/rails< 2.2.3-1+3

▶NVDrubyonrails/rails8 versions+7

▶RubyGemsactionpack_project/actionpack2.1.0 — 2.2.3+1

Patches

Patch: weblog.rubyonrails.org ↗Patch: weblog.rubyonrails.org ↗

🔴Vulnerability Details

OSV

actionpack and activesupport vulnerable to information leaks↗2017-10-24

▶

GHSA

actionpack and activesupport vulnerable to information leaks↗2017-10-24

▶

OSV

CVE-2009-3086: A certain algorithm in Ruby on Rails 2↗2009-09-08

▶

CVEList

CVE-2009-3086: A certain algorithm in Ruby on Rails 2↗2009-09-08

▶

📋Vendor Advisories

Debian

CVE-2009-3086: rails - A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4...↗2009

▶

💬Community

Bugzilla

CVE-2009-3086 rubygem-actionpack: Message digest forgery [epel-5]↗2013-05-08

▶

Bugzilla

CVE-2009-3086 rubygem-actionpack: Message digest forgery↗2009-09-09

▶