VulnerableCode Package Details - pkg:deb/debian/ruby-rack@2.1.1-2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-yw62-qbkq-9ygq	Possible Information Leak / Session Hijack Vulnerability in Rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. ### Impact The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. ## Releases The 1.6.12 and 2.0.8 releases are available at the normal locations. ### Workarounds There are no known workarounds. ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-session-timing-attack.patch - Patch for 1.6 series * 2-0-session-timing-attack.patch - Patch for 2.6 series ### Credits Thanks Will Leinweber for reporting this!	CVE-2019-16782 GHSA-hrqr-hxpp-chr3

Vulnerability

Summary

Aliases

VCID-yw62-qbkq-9ygq

Possible Information Leak / Session Hijack Vulnerability in Rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. ### Impact The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. ## Releases The 1.6.12 and 2.0.8 releases are available at the normal locations. ### Workarounds There are no known workarounds. ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-session-timing-attack.patch - Patch for 1.6 series * 2-0-session-timing-attack.patch - Patch for 2.6 series ### Credits Thanks Will Leinweber for reporting this!

CVE-2019-16782
GHSA-hrqr-hxpp-chr3

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T08:55:33.622698+00:00	Debian Importer	Fixing	VCID-yw62-qbkq-9ygq	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-11T17:59:25.391085+00:00	Debian Importer	Fixing	VCID-yw62-qbkq-9ygq	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:52:19.489998+00:00	Debian Importer	Fixing	VCID-yw62-qbkq-9ygq	https://security-tracker.debian.org/tracker/data/json	38.1.0