gsd-2019-16782
Vulnerability from gsd
Modified
2019-12-18 00:00
Details
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. Impact: The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.
Aliases



{
  "GSD": {
    "alias": "CVE-2019-16782",
    "description": "There\u0027s a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.",
    "id": "GSD-2019-16782",
    "references": [
      "https://www.suse.com/security/cve/CVE-2019-16782.html",
      "https://access.redhat.com/errata/RHSA-2021:1313",
      "https://access.redhat.com/errata/RHSA-2020:4366",
      "https://access.redhat.com/errata/RHSA-2020:2480",
      "https://advisories.mageia.org/CVE-2019-16782.html",
      "https://ubuntu.com/security/CVE-2019-16782"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "rack",
            "purl": "pkg:gem/rack"
          }
        }
      ],
      "aliases": [
        "CVE-2019-16782",
        "GHSA-hrqr-hxpp-chr3"
      ],
      "details": "There\u0027s a possible information leak / session hijack vulnerability in Rack.\n\nAttackers may be able to find and hijack sessions by using timing attacks\ntargeting the session id. Session ids are usually stored and indexed in a\ndatabase that uses some kind of scheme for speeding up lookups of that\nsession id. By carefully measuring the amount of time it takes to look up\na session, an attacker may be able to find a valid session id and hijack\nthe session.\n\nThe session id itself may be generated randomly, but the way the session is\nindexed by the backing store does not use a secure comparison.\n\nImpact:\n\nThe session id stored in a cookie is the same id that is used when querying\nthe backing session storage engine.  Most storage mechanisms (for example a\ndatabase) use some sort of indexing in order to speed up the lookup of that\nid.  By carefully timing requests and session lookup failures, an attacker\nmay be able to perform a timing attack to determine an existing session id\nand hijack that session.",
      "id": "GSD-2019-16782",
      "modified": "2019-12-18T00:00:00.000Z",
      "published": "2019-12-18T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 6.3,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Possible information leak / session hijack vulnerability"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2019-16782",
        "STATE": "PUBLIC",
        "TITLE": "Possible Information Leak / Session Hijack Vulnerability in Rack"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "rack",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "before 1.6.12 or 2.0.8"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "rack"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "There\u0027s a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-208 Information Exposure Through Timing Discrepancy"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3",
            "refsource": "CONFIRM",
            "url": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"
          },
          {
            "name": "https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38",
            "refsource": "CONFIRM",
            "url": "https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38"
          },
          {
            "name": "[oss-security] 20191219 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/12/18/3"
          },
          {
            "name": "[oss-security] 20191218 [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/12/18/2"
          },
          {
            "name": "[oss-security] 20191218 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2019/12/19/3"
          },
          {
            "name": "FEDORA-2020-57fc0d0156",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/"
          },
          {
            "name": "openSUSE-SU-2020:0214",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"
          },
          {
            "name": "[oss-security] 20200409 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2020/04/08/1"
          },
          {
            "name": "[oss-security] 20200408 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2020/04/09/2"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-hrqr-hxpp-chr3",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2019-16782",
      "cvss_v3": 6.3,
      "date": "2019-12-18",
      "description": "There\u0027s a possible information leak / session hijack vulnerability in Rack.\n\nAttackers may be able to find and hijack sessions by using timing attacks\ntargeting the session id. Session ids are usually stored and indexed in a\ndatabase that uses some kind of scheme for speeding up lookups of that\nsession id. By carefully measuring the amount of time it takes to look up\na session, an attacker may be able to find a valid session id and hijack\nthe session.\n\nThe session id itself may be generated randomly, but the way the session is\nindexed by the backing store does not use a secure comparison.\n\nImpact:\n\nThe session id stored in a cookie is the same id that is used when querying\nthe backing session storage engine.  Most storage mechanisms (for example a\ndatabase) use some sort of indexing in order to speed up the lookup of that\nid.  By carefully timing requests and session lookup failures, an attacker\nmay be able to perform a timing attack to determine an existing session id\nand hijack that session.",
      "gem": "rack",
      "ghsa": "hrqr-hxpp-chr3",
      "patched_versions": [
        "~\u003e 1.6.12",
        "\u003e= 2.0.8"
      ],
      "title": "Possible information leak / session hijack vulnerability",
      "url": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.6.12||\u003e1.6.12 \u003c2.0.8",
          "affected_versions": "All versions before 1.6.12, all versions after 1.6.12 before 2.0.8",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2019-12-28",
          "description": "There\u0027s a possible information leak / session hijack vulnerability in Rack (RubyGem rack). Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.",
          "fixed_versions": [
            "1.6.12",
            "2.0.8"
          ],
          "identifier": "CVE-2019-16782",
          "identifiers": [
            "CVE-2019-16782",
            "GHSA-hrqr-hxpp-chr3"
          ],
          "not_impacted": "Version 1.6.12, all versions starting from 2.0.8",
          "package_slug": "gem/rack",
          "pubdate": "2019-12-18",
          "solution": "Upgrade to version 2.0.8 or above.",
          "title": "Information Exposure",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2019-16782",
            "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"
          ],
          "uuid": "f3c4e135-0d7a-4ab9-a4ef-a331ef23c423"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.6.12",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rack_project:rack:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.0.8",
                "versionStartIncluding": "2.0.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2019-16782"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "There\u0027s a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-203"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38"
            },
            {
              "name": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3"
            },
            {
              "name": "[oss-security] 20191218 [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/12/18/2"
            },
            {
              "name": "[oss-security] 20191219 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/12/18/3"
            },
            {
              "name": "[oss-security] 20191218 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2019/12/19/3"
            },
            {
              "name": "FEDORA-2020-57fc0d0156",
              "refsource": "FEDORA",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/"
            },
            {
              "name": "openSUSE-SU-2020:0214",
              "refsource": "SUSE",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html"
            },
            {
              "name": "[oss-security] 20200409 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2020/04/08/1"
            },
            {
              "name": "[oss-security] 20200408 Re: [CVE-2019-16782] Possible Information Leak / Session Hijack Vulnerability in Rack",
              "refsource": "MLIST",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "http://www.openwall.com/lists/oss-security/2020/04/09/2"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2021-11-02T18:04Z",
      "publishedDate": "2019-12-18T20:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.