Search for packages
| purl | pkg:rpm/redhat/tfm-rubygem-rbovirt@0.1.7-4?arch=el7sat |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1hff-pbpa-p3e5
Aliases: CVE-2020-5216 GHSA-w978-rmpf-qmwg |
Limited header injection when using dynamic overrides with user input in RubyGems secure_headers ### Impact If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seeing a newline in the header, rails will silently create a new `Content-Security-Policy` header with the remaining value of the original string. It will continue to create new headers for each newline. e.g. ```ruby override_content_security_directives(script_src: ['mycdn.com', "\ninjected\n"])` ``` would result in ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: injected Content-Security-Policy: rest-of-the-header ``` CSP supports multiple headers and all policies must be satisfied for execution to occur, but a malicious value that reports the current page is fairly trivial: ```ruby override_content_security_directives(script_src: ["mycdn.com", "\ndefault-src 'none'; report-uri evil.com"]) ``` ``` Content-Security-Policy: ... script-src: mycdn.com Content-Security-Policy: default-src 'none'; report-uri evil.com Content-Security-Policy: rest-of-the-header ``` ### Patches This has been fixed in 6.3.0, 5.2.0, and 3.9.0 ### Workarounds ```ruby override_content_security_policy_directives(:frame_src, [user_input.gsub("\n", " ")]) ``` ### References https://github.com/twitter/secure_headers/security/advisories/GHSA-xq52-rv6w-397c [The effect of multiple policies](https://www.w3.org/TR/CSP3/#multiple-policies) ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repo](https://github.com/twitter/secure_headers/security/advisories/new) * DM us at @ndm on twitter | There are no reported fixed by versions. |
|
VCID-1xgz-hwng-n3eq
Aliases: CVE-2020-8185 GHSA-c6qr-h5vq-59jc |
Untrusted users can run pending migrations in production in Rails There is a vulnerability in versions of Rails prior to 6.0.3.2 that allowed an untrusted user to run any pending migrations on a Rails app running in production. This vulnerability has been assigned the CVE identifier CVE-2020-8185. Versions Affected: 6.0.0 < rails < 6.0.3.2 Not affected: Applications with `config.action_dispatch.show_exceptions = false` (this is not a default setting in production) Fixed Versions: rails >= 6.0.3.2 Impact ------ Using this issue, an attacker would be able to execute any migrations that are pending for a Rails app running in production mode. It is important to note that an attacker is limited to running migrations the application developer has already defined in their application and ones that have not already run. Workarounds ----------- Until such time as the patch can be applied, application developers should disable the ActionDispatch middleware in their production environment via a line such as this one in their config/environment/production.rb: `config.middleware.delete ActionDispatch::ActionableExceptions` | There are no reported fixed by versions. |
|
VCID-31xv-z8c6-a7bg
Aliases: CVE-2020-15169 GHSA-cfjv-5498-mph5 |
XSS in Action View There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. ### Impact When an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples: ```erb <%# The welcome_html translation is not defined for the current locale: %> <%= t("welcome_html", default: untrusted_user_controlled_string) %> <%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %> <%= t("title.html", default: [:"missing.html", untrusted_user_controlled_string]) %> ``` ### Patches Patched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations. The patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest. To aid users who aren’t able to upgrade immediately, we’ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) — patch for the 5.2 release series * [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) — patch for the 6.0 release series Please note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases. ### Workarounds Impacted users who can’t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`): ```erb <%= t("welcome_html", default: h(untrusted_user_controlled_string)) %> ``` | There are no reported fixed by versions. |
|
VCID-3wa1-khqf-x7fv
Aliases: CVE-2020-10968 GHSA-rf6r-2c4q-2vwg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy). | There are no reported fixed by versions. |
|
VCID-63rx-372a-ukby
Aliases: CVE-2020-7942 GHSA-gqvf-892r-vjm5 |
Improper Certificate Validation in Puppet Previously, Puppet operated on the model that a node with a valid certificate was entitled to all information in the system and that a compromised certificate allowed access to everything in the infrastructure. When a node's catalog falls back to the `default` node, the catalog can be retrieved for a different node by modifying facts for the Puppet run. This issue can be mitigated by setting `strict_hostname_checking = true` in `puppet.conf` on your Puppet master. Puppet 6.13.0 changes the default behavior for strict_hostname_checking from false to true. It is recommended that Puppet Open Source and Puppet Enterprise users that are not upgrading still set strict_hostname_checking to true to ensure secure behavior. | There are no reported fixed by versions. |
|
VCID-7v7q-8wa6-hff5
Aliases: CVE-2018-3258 GHSA-4vrv-ch96-6h42 |
Improper Access Control A vulnerability in the MySQL Connectors component of Oracle MySQL exists. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. | There are no reported fixed by versions. |
|
VCID-895a-ydc5-zfg6
Aliases: CVE-2020-8162 GHSA-m42x-37p3-fv5w |
Circumvention of file size limits in ActiveStorage There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. Versions Affected: rails < 5.2.4.2, rails < 6.0.3.1 Not affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Utilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. | There are no reported fixed by versions. |
|
VCID-8zkw-y3yd-yuft
Aliases: CVE-2020-8161 GHSA-5f9h-9pjv-v6j7 |
Directory traversal in Rack::Directory app bundled with Rack A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. | There are no reported fixed by versions. |
|
VCID-9qdt-7p83-4yd8
Aliases: CVE-2020-10969 GHSA-758m-v56v-grj4 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. | There are no reported fixed by versions. |
|
VCID-a5sk-5grx-eyaf
Aliases: CVE-2020-11619 GHSA-27xj-rqx5-2255 |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop). | There are no reported fixed by versions. |
|
VCID-a6sp-18av-wya6
Aliases: CVE-2020-8164 GHSA-8727-m6gj-mc37 |
Possible Strong Parameters Bypass in ActionPack There is a strong parameters bypass vector in ActionPack. Versions Affected: rails <= 6.0.3 Not affected: rails < 5.0.0 Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying "untrusted" hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input. Impacted code will look something like this: ``` def update # Attacker has included the parameter: `{ is_admin: true }` User.update(clean_up_params) end def clean_up_params params.each { |k, v| SomeModel.check(v) if k == :name } end ``` Note the mistaken use of `each` in the `clean_up_params` method in the above example. Workarounds ----------- Do not use the return values of `each`, `each_value`, or `each_pair` in your application. | There are no reported fixed by versions. |
|
VCID-afkn-k8yk-w3dr
Aliases: CVE-2020-10693 GHSA-rmrm-75hp-phr2 |
Improper Input Validation in Hibernate Validator A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages. | There are no reported fixed by versions. |
|
VCID-bydt-bkf4-rbh2
Aliases: CVE-2020-9546 GHSA-5p34-5m6p-p58g |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). | There are no reported fixed by versions. |
|
VCID-d4z1-hdkt-r7g1
Aliases: CVE-2019-10219 GHSA-m8p2-495h-ccmh |
The SafeHtml annotation in Hibernate-Validator does not properly guard against XSS attacks A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack. | There are no reported fixed by versions. |
|
VCID-es1t-7196-4kbb
Aliases: CVE-2020-8167 GHSA-xq5j-gw7f-jgj8 |
CSRF Vulnerability in rails-ujs There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains. Versions Affected: rails <= 6.0.3 Not affected: Applications which don't use rails-ujs. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ This is a regression of CVE-2015-1840. In the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent. Workarounds ----------- To work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters. For example, code like this: link_to params to code like this: link_to filtered_params def filtered_params # Filter just the parameters that you trust end | There are no reported fixed by versions. |
|
VCID-jvp6-892x-nkc7
Aliases: CVE-2020-9548 GHSA-p43x-xfjf-5jhr |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). | There are no reported fixed by versions. |
|
VCID-mnkw-23eu-bkgc
Aliases: CVE-2020-8166 GHSA-jp5v-5gx4-jmj9 |
Ability to forge per-form CSRF tokens in Rails It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session. Impact ------ Given the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session. Workarounds ----------- This is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded. | There are no reported fixed by versions. |
|
VCID-nhvk-z1d5-huce
Aliases: CVE-2020-14334 |
foreman: unauthorized cache read on RPM-based installations through local user | There are no reported fixed by versions. |
|
VCID-nugh-hm1r-73c7
Aliases: CVE-2020-14380 |
Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover | There are no reported fixed by versions. |
|
VCID-pnt3-1ssq-tqau
Aliases: CVE-2020-14061 GHSA-c2q3-4qrh-fm48 |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). | There are no reported fixed by versions. |
|
VCID-q4x5-bxn7-5yht
Aliases: CVE-2018-1000119 GHSA-688c-3x49-6rqj |
Timing attack vulnerability Sinatra rack-protection contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. | There are no reported fixed by versions. |
|
VCID-qjez-qe32-e3b6
Aliases: CVE-2019-12781 GHSA-6c7v-2f49-8h26 PYSEC-2019-10 |
An issue was discovered in Django 1.11 before 1.11.22, 2.1 before 2.1.10, and 2.2 before 2.2.3. An HTTP request is not redirected to HTTPS when the SECURE_PROXY_SSL_HEADER and SECURE_SSL_REDIRECT settings are used, and the proxy connects to Django via HTTPS. In other words, django.http.HttpRequest.scheme has incorrect behavior when a client uses HTTP. | There are no reported fixed by versions. |
|
VCID-r7tw-km29-4bdp
Aliases: CVE-2020-7238 GHSA-ff2w-cq2g-wv5f |
HTTP Request Smuggling in Netty Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869. | There are no reported fixed by versions. |
|
VCID-ruae-hqdg-m7ek
Aliases: CVE-2020-9547 GHSA-q93h-jc49-78gg |
jackson-databind mishandles the interaction between serialization gadgets and typing FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`). | There are no reported fixed by versions. |
|
VCID-t684-yp58-hkg8
Aliases: CVE-2020-8165 GHSA-2p68-f74v-9wc6 |
ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like: ``` data = cache.fetch("demo", raw: true) { untrusted_string } ``` Versions Affected: rails < 5.2.5, rails < 6.0.4 Not affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input. Fixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1 Impact ------ Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application. In addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes, detect if data was serialized using the raw option upon deserialization. Workarounds ----------- It is recommended that application developers apply the suggested patch or upgrade to the latest release as soon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using the `raw` argument should be double-checked to ensure that they conform to the expected format. | There are no reported fixed by versions. |
|
VCID-u29q-3x9x-73da
Aliases: CVE-2020-7663 GHSA-g6wq-qcwm-j5g2 |
Regular Expression Denial of Service in websocket-extensions (RubyGem) ### Impact The ReDoS flaw allows an attacker to exhaust the server's capacity to process incoming requests by sending a WebSocket handshake request containing a header of the following form: Sec-WebSocket-Extensions: a; b="\c\c\c\c\c\c\c\c\c\c ... That is, a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. The parser takes exponential time to reject this header as invalid, and this will block the processing of any other work on the same thread. Thus if you are running a single-threaded server, such a request can render your service completely unavailable. ### Patches Users should upgrade to version 0.1.5. ### Workarounds There are no known work-arounds other than disabling any public-facing WebSocket functionality you are operating. ### References - https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions/ | There are no reported fixed by versions. |
|
VCID-ugqt-zyga-1ydy
Aliases: CVE-2020-7943 |
puppet: puppet server and puppetDB may leak sensitive information via metrics API | There are no reported fixed by versions. |
|
VCID-utte-4yve-n7eq
Aliases: CVE-2020-5217 GHSA-xq52-rv6w-397c |
Directive injection when using dynamic overrides with user input ### Impact If user-supplied input was passed into `append/override_content_security_policy_directives`, a semicolon could be injected leading to directive injection. This could be used to e.g. override a `script-src` directive. Duplicate directives are ignored and the first one wins. The directives in `secure_headers` are sorted alphabetically so they pretty much all come before `script-src`. A previously undefined directive would receive a value even if `SecureHeaders::OPT_OUT` was supplied. The fixed versions will silently convert the semicolons to spaces and emit a deprecation warning when this happens. This will result in innocuous browser console messages if being exploited/accidentally used. In future releases, we will raise application errors resulting in 500s. > Duplicate script-src directives detected. All but the first instance will be ignored. See https://www.w3.org/TR/CSP3/#parse-serialized-policy > Note: In this case, the user agent SHOULD notify developers that a duplicate directive was ignored. A console warning might be appropriate, for example. ### Patches Depending on what major version you are using, the fixed versions are 6.2.0, 5.1.0, 3.8.0. ### Workarounds If you are passing user input into the above methods, you could filter out the input: ```ruby override_content_security_policy_directives(:frame_src, [user_input.gsub(";", " ")]) ``` ### References Reported in https://github.com/twitter/secure_headers/issues/418 https://www.w3.org/TR/CSP3/#parse-serialized-policy ### For more information If you have any questions or comments about this advisory: * Open an issue in [this repo](https://github.com/twitter/secure_headers/issues/new) * DM @ndm on twitter | There are no reported fixed by versions. |
|
VCID-uygc-h93v-vuh8
Aliases: CVE-2020-14062 GHSA-c265-37vj-cwcc |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). | There are no reported fixed by versions. |
|
VCID-v61q-45uv-uuf7
Aliases: CVE-2018-11751 |
puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL | There are no reported fixed by versions. |
|
VCID-v9mt-t1pb-hybk
Aliases: CVE-2020-5267 GHSA-65cv-r6x7-79hv |
Cross site scripting vulnerability in ActionView There is a possible cross site scripting (XSS) vulnerability in ActionView's JavaScript literal escape helpers. Views that use the `j` or `escape_javascript` methods may be susceptible to XSS attacks. ### Impact There is a possible XSS vulnerability in the `j` and `escape_javascript` methods in ActionView. These methods are used for escaping JavaScript string literals. Impacted code will look something like this: ```erb <script>let a = `<%= j unknown_input %>`</script> ``` or ```erb <script>let a = `<%= escape_javascript unknown_input %>`</script> ``` ### Releases The 6.0.2.2 and 5.2.4.2 releases are available at the normal locations. ### Workarounds For those that can't upgrade, the following monkey patch may be used: ```ruby ActionView::Helpers::JavaScriptHelper::JS_ESCAPE_MAP.merge!( { "`" => "\\`", "$" => "\\$" } ) module ActionView::Helpers::JavaScriptHelper alias :old_ej :escape_javascript alias :old_j :j def escape_javascript(javascript) javascript = javascript.to_s if javascript.empty? result = "" else result = javascript.gsub(/(\\|<\/|\r\n|\342\200\250|\342\200\251|[\n\r"']|[`]|[$])/u, JS_ESCAPE_MAP) end javascript.html_safe? ? result.html_safe : result end alias :j :escape_javascript end ``` ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * [5-2-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-5-2-js-helper-xss-patch) - Patch for 5.2 series * [6-0-js-helper-xss.patch](https://gist.github.com/tenderlove/c042ff49f0347c37e99183a6502accc6#file-6-0-js-helper-xss-patch) - Patch for 6.0 series Please note that only the 5.2 and 6.0 series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. ### Credits Thanks to Jesse Campos from Chef Secure | There are no reported fixed by versions. |
|
VCID-vhdm-w6p1-uuh9
Aliases: CVE-2015-1820 GHSA-3fhf-6939-qg8p OSV-119878 |
Session fixation vulnerability via Set-Cookie headers The package rest-client in `abstract_response.rb` improperly handles `Set-Cookie` headers on HTTP redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal any cookies set by the third-party redirection request. | There are no reported fixed by versions. |
|
VCID-xnyb-nuwm-pkdr
Aliases: CVE-2020-8840 GHSA-4w82-r329-3q67 |
Deserialization of Untrusted Data in jackson-databind FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter. | There are no reported fixed by versions. |
|
VCID-xnz5-gv2x-17bk
Aliases: CVE-2020-8184 GHSA-j6w9-fv6q-3q52 |
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix. | There are no reported fixed by versions. |
|
VCID-yw62-qbkq-9ygq
Aliases: CVE-2019-16782 GHSA-hrqr-hxpp-chr3 |
Possible Information Leak / Session Hijack Vulnerability in Rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. ### Impact The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. ## Releases The 1.6.12 and 2.0.8 releases are available at the normal locations. ### Workarounds There are no known workarounds. ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-session-timing-attack.patch - Patch for 1.6 series * 2-0-session-timing-attack.patch - Patch for 2.6 series ### Credits Thanks Will Leinweber for reporting this! | There are no reported fixed by versions. |
|
VCID-ze79-6kcg-nfcp
Aliases: CVE-2020-14195 GHSA-mc6h-4qgp-37qh |
Deserialization of untrusted data in Jackson Databind FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||