Search for packages
| purl | pkg:gem/rack@1.7 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-9xy8-h3y1-mubv
Aliases: CVE-2018-16471 GHSA-5r2p-j47h-mhpg |
Cross-site Scripting There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to HTTP or HTTPS and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not be impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable. |
Affected by 27 other vulnerabilities. |
|
VCID-yw62-qbkq-9ygq
Aliases: CVE-2019-16782 GHSA-hrqr-hxpp-chr3 |
Possible Information Leak / Session Hijack Vulnerability in Rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. ### Impact The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. ## Releases The 1.6.12 and 2.0.8 releases are available at the normal locations. ### Workarounds There are no known workarounds. ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-session-timing-attack.patch - Patch for 1.6 series * 2-0-session-timing-attack.patch - Patch for 2.6 series ### Credits Thanks Will Leinweber for reporting this! |
Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T15:18:30.177813+00:00 | Ruby Importer | Affected by | VCID-9xy8-h3y1-mubv | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml | 38.0.0 |
| 2026-04-01T15:18:29.949520+00:00 | Ruby Importer | Affected by | VCID-yw62-qbkq-9ygq | https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml | 38.0.0 |