Vulnerabilities affecting this package (1)
| Vulnerability |
Summary |
Fixed by |
VCID-yw62-qbkq-9ygq
Aliases:
CVE-2019-16782
GHSA-hrqr-hxpp-chr3
|
Possible Information Leak / Session Hijack Vulnerability in Rack
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.
The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
### Impact
The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.
## Releases
The 1.6.12 and 2.0.8 releases are available at the normal locations.
### Workarounds
There are no known workarounds.
### Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 1-6-session-timing-attack.patch - Patch for 1.6 series
* 2-0-session-timing-attack.patch - Patch for 2.6 series
### Credits
Thanks Will Leinweber for reporting this!
|
There are no reported fixed by versions.
|
Vulnerabilities fixed by this package (0)
| Vulnerability |
Summary |
Aliases |
|
This package is not known to fix vulnerabilities.
|