CVE-2013-0263

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Severity
UNKNOWN
AV:N/AC:H/Au:N/C:P/I:P/A:P
Atk. Vector
NETWORK
Atk. Complexity
HIGH
Base Score
CVSS 3.x
EPSS Score
Percentile: 94%
VendorProductVersion
rack_projectrack
1.5.0
rack_projectrack
1.5.1
rack_projectrack
1.4.0
rack_projectrack
1.4.1
rack_projectrack
1.4.2
rack_projectrack
1.4.3
rack_projectrack
1.4.4
rack_projectrack
1.3.0
rack_projectrack
1.3.1
rack_projectrack
1.3.2
rack_projectrack
1.3.3
rack_projectrack
1.3.4
rack_projectrack
1.3.5
rack_projectrack
1.3.6
rack_projectrack
1.3.7
rack_projectrack
1.3.8
rack_projectrack
1.3.9
rack_projectrack
1.2.0
rack_projectrack
1.2.1
rack_projectrack
1.2.2
rack_projectrack
1.2.3
rack_projectrack
1.2.4
rack_projectrack
1.2.6
rack_projectrack
1.2.7
rack_projectrack
1.1.0
rack_projectrack
1.1.4
rack_projectrack
1.1.5
rack_projectrack
1.1.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-rack
bullseye (security)
2.1.4-3+deb11u2
fixed
bullseye
2.1.4-3+deb11u2
fixed
bookworm
2.2.6.4-1+deb12u1
fixed
bookworm (security)
2.2.6.4-1+deb12u1
fixed
sid
2.2.7-1.1
fixed
trixie
2.2.7-1.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-rack
zesty
Fixed 1.5.2-1
released
yakkety
Fixed 1.5.2-1
released
xenial
Fixed 1.5.2-1
released
wily
Fixed 1.5.2-1
released
vivid
Fixed 1.5.2-1
released
utopic
Fixed 1.5.2-1
released
trusty
Fixed 1.5.2-1
released
saucy
Fixed 1.5.2-1
released
raring
ignored
quantal
ignored
precise
ignored
oneiric
dne
lucid
dne
hardy
dne
References