CVE-2018-1000119

NameCVE-2018-1000119
DescriptionSinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)
Debian Bugs892250

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack-protection (PTS)jessie1.5.2-1vulnerable
buster, sid, stretch1.5.3-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-rack-protectionsource(unstable)(unfixed)medium892250

Notes

[wheezy] - ruby-rack-protection <ignored> (Low prio package and low prio vulnerability according to RedHat)
https://snyk.io/vuln/SNYK-RUBY-SINATRA-20470
https://snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395
https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb

Search for package or bug name: Reporting problems