Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-mac4-2zg3-q3dg
Vulnerability ID VCID-mac4-2zg3-q3dg
Aliases CVE-2019-16782
GHSA-hrqr-hxpp-chr3
Summary Possible Information Leak / Session Hijack Vulnerability in Rack There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. ### Impact The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session. ## Releases The 1.6.12 and 2.0.8 releases are available at the normal locations. ### Workarounds There are no known workarounds. ### Patches To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 1-6-session-timing-attack.patch - Patch for 1.6 series * 2-0-session-timing-attack.patch - Patch for 2.6 series ### Credits Thanks Will Leinweber for reporting this!
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-203 Observable Discrepancy
CWE-208 Observable Timing Discrepancy
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
System Score Found at
cvssv3.1 6.3 http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
generic_textual MODERATE http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json
epss 0.00892 https://api.first.org/data/v1/epss?cve=CVE-2019-16782
cvssv3.1 5.6 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hrqr-hxpp-chr3
cvssv3.1 6.3 https://github.com/rack/rack
generic_textual MODERATE https://github.com/rack/rack
cvssv3.1 6.3 https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
generic_textual MODERATE https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
cvssv3 6.3 https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
cvssv3.1 6.3 https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
cvssv3.1_qr MODERATE https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
generic_textual MODERATE https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
cvssv3.1 6.3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml
cvssv3.1 6.3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
cvssv3.1 6.3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
cvssv3.1 6.3 https://nvd.nist.gov/vuln/detail/CVE-2019-16782
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-16782
cvssv3.1 6.3 http://www.openwall.com/lists/oss-security/2019/12/18/2
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2019/12/18/2
cvssv3.1 6.3 http://www.openwall.com/lists/oss-security/2019/12/18/3
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2019/12/18/3
cvssv3.1 6.3 http://www.openwall.com/lists/oss-security/2019/12/19/3
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2019/12/19/3
cvssv3.1 6.3 http://www.openwall.com/lists/oss-security/2020/04/08/1
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2020/04/08/1
cvssv3.1 6.3 http://www.openwall.com/lists/oss-security/2020/04/09/2
generic_textual MODERATE http://www.openwall.com/lists/oss-security/2020/04/09/2
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json
https://api.first.org/data/v1/epss?cve=CVE-2019-16782
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rack/rack
https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
https://nvd.nist.gov/vuln/detail/CVE-2019-16782
http://www.openwall.com/lists/oss-security/2019/12/18/2
http://www.openwall.com/lists/oss-security/2019/12/18/3
http://www.openwall.com/lists/oss-security/2019/12/19/3
http://www.openwall.com/lists/oss-security/2020/04/08/1
http://www.openwall.com/lists/oss-security/2020/04/09/2
1789100 https://bugzilla.redhat.com/show_bug.cgi?id=1789100
946983 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983
GHSA-hrqr-hxpp-chr3 https://github.com/advisories/GHSA-hrqr-hxpp-chr3
RHSA-2020:2480 https://access.redhat.com/errata/RHSA-2020:2480
RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366
RHSA-2021:1313 https://access.redhat.com/errata/RHSA-2021:1313
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/rack/rack
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-16782
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2019/12/18/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2019/12/18/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2019/12/19/3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2020/04/08/1
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2020/04/09/2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.75899
EPSS Score 0.00892
Published At May 29, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-29T09:20:42.402528+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-hrqr-hxpp-chr3/GHSA-hrqr-hxpp-chr3.json 38.6.0