CVE-2019-16779Improper Control of a Resource Through its Lifetime in Excon

CWE-664Improper Control of a Resource Through its LifetimeCWE-362Race Condition6 documents5 sources
Severity
5.9MEDIUMNVD
CNA5.8
EPSS
0.6%
top 31.83%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
ExconExcon Project ExconDebian Linux+2 more
Timeline
PublishedDec 16

Description

In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

CVEListV5excon/excon< 0.71.0
RubyGemsexcon/excon< 0.71.0
NVDexcon_project/excon< 0.71.0
NVDopensuse/leap15.1

Also affects: Debian Linux 8.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
In RubyGem excon, interrupted Persistent Connections May Leak Response Data2019-12-16
CVEList
In RubyGem excon, interrupted Persistent Connections May Leak Response Data2019-12-16
OSV
CVE-2019-16779: In RubyGem excon before 02019-12-16
GHSA
In RubyGem excon, interrupted Persistent Connections May Leak Response Data2019-12-16

📋Vendor Advisories

1
Debian
CVE-2019-16779: ruby-excon - In RubyGem excon before 0.71.0, there was a race condition around persistent con...2019
CVE-2019-16779 — Excon vulnerability | cvebase