GHSA-hrqr-hxpp-chr3
Vulnerability from github
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.
The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
Impact
The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.
Releases
The 1.6.12 and 2.0.8 releases are available at the normal locations.
Workarounds
There are no known workarounds.
Patches
To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.
- 1-6-session-timing-attack.patch - Patch for 1.6 series
- 2-0-session-timing-attack.patch - Patch for 2.6 series
Credits
Thanks Will Leinweber for reporting this!
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.12"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-16782"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2019-12-18T19:01:07Z",
"nvd_published_at": "2019-12-18T20:15:00Z",
"severity": "MODERATE"
},
"details": "There\u0027s a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.\n\nThe session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.\n\n### Impact\n\nThe session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.\n\n## Releases\n\nThe 1.6.12 and 2.0.8 releases are available at the normal locations.\n\n### Workarounds\n\nThere are no known workarounds.\n\n### Patches\n\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 1-6-session-timing-attack.patch - Patch for 1.6 series\n* 2-0-session-timing-attack.patch - Patch for 2.6 series\n\n### Credits\n\nThanks Will Leinweber for reporting this!",
"id": "GHSA-hrqr-hxpp-chr3",
"modified": "2021-11-03T14:59:03Z",
"published": "2019-12-18T19:01:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16782"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/12/18/2"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/12/18/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/12/19/3"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/04/08/1"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2020/04/09/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Possible Information Leak / Session Hijack Vulnerability in Rack"
}
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.