CVE-2013-0263Rack vulnerability

11 documents7 sources
Severity
5.1MEDIUMNVD
EPSS
8.6%
top 7.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
RackRack Project Rack
Timeline
PublishedFeb 8
Latest updateMay 5

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

CVSS vector

AV:N/AC:H/C:P/I:P/A:PExploitability: 4.9 | Impact: 6.4

Affected Packages2 packages

RubyGemsrack/rack1.5.01.5.2+4
NVDrack_project/rack28 versions+27

🔴Vulnerability Details

4
OSV
Rack arbitrary code execution via timing attack2022-05-05
GHSA
Rack arbitrary code execution via timing attack2022-05-05
OSV
CVE-2013-0263: Rack::Session::Cookie in Rack 12013-02-08
CVEList
CVE-2013-0263: Rack::Session::Cookie in Rack 12013-02-08

📋Vendor Advisories

2
Red Hat
rubygem-rack: Timing attack in cookie sessions2013-02-08
Debian
CVE-2013-0263: ruby-rack - Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x befo...2013

💬Community

4
Bugzilla
CVE-2013-0263 Rubygem Rack: Timing attack in cookie sessions [fedora-all]2013-02-08
Bugzilla
CVE-2013-0263 Rubygem Rack: Timing attack in cookie sessions [epel-all]2013-02-08
Bugzilla
CVE-2013-0263 Rubygem Rack: Timing attack in cookie sessions [epel-all]2013-02-08
Bugzilla
CVE-2013-0263 rubygem-rack: Timing attack in cookie sessions2013-02-08
CVE-2013-0263 — Rack vulnerability | cvebase