CVE-2019-16782 — Observable Timing Discrepancy in Rack

CWE-208 — Observable Timing Discrepancy CWE-203 — Observable Discrepancy CWE-200 — Sensitive Information Exposure18 documents8 sources

Severity

5.9MEDIUMNVD

NVD5.3

EPSS

0.9%

top 24.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack Debian Ruby-rack Rubyonrails Active Record Session Store +2 more

Timeline

PublishedDec 18

Latest updateJul 31

Description

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid sessi…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶NVDrubyonrails/active_record_session_store1.1.3

▶NVDrack/rack2.0.0 — 2.0.8+1

▶RubyGemsrack/rack2.0.0 — 2.0.8+1

▶debiandebian/ruby-rack< ruby-rack 2.1.1-2 (bookworm)

▶NVDopensuse/leap15.1

Also affects: Fedora 31

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

ruby-rack vulnerabilities↗2022-12-13

▶

OSV

Activerecord-session_store Vulnerable to Timing Attack↗2021-03-09

▶

GHSA

Activerecord-session_store Vulnerable to Timing Attack↗2021-03-09

▶

OSV

CVE-2019-25025: The activerecord-session_store (aka Active Record Session Store) component through 1↗2021-03-05

▶

GHSA

Possible Information Leak / Session Hijack Vulnerability in Rack↗2019-12-18

▶

📋Vendor Advisories

Ubuntu

Rack vulnerabilities↗2022-12-13

▶

Red Hat

rubygem-activerecord-session_store: hijack sessions by using timing attacks targeting the session id↗2019-12-22

▶

Red Hat

rubygem-rack: hijack sessions by using timing attacks targeting the session id↗2019-12-18

▶

Debian

CVE-2019-16782: ruby-rack - There's a possible information leak / session hijack vulnerability in Rack (Ruby...↗2019

▶

📄Research Papers

arXiv

Microservice Vulnerability Analysis: A Literature Review with Empirical Insights↗2024-07-31

▶

💬Community

Bugzilla

CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id [epel-6]↗2020-01-08

▶

Bugzilla

CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id↗2020-01-08

▶

Bugzilla

CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id [fedora-all]↗2020-01-08

▶

Bugzilla

CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id [epel-7]↗2020-01-08

▶