CVE-2015-7576

EUVD-2017-0280

16.02.2016, 02:59

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.7 LOW	NETWORK	HIGH	NONE	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 81%

Affected Products (NVD)

Vendor	Product	Version
rubyonrails	rails	4.0.0
rubyonrails	rails	4.0.0:beta
rubyonrails	rails	4.0.0:rc1
rubyonrails	rails	4.0.0:rc2
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.1:rc1
rubyonrails	rails	4.0.1:rc2
rubyonrails	rails	4.0.1:rc3
rubyonrails	rails	4.0.1:rc4
rubyonrails	rails	4.0.2
rubyonrails	rails	4.0.3
rubyonrails	rails	4.0.4
rubyonrails	rails	4.0.4:rc1
rubyonrails	rails	4.0.5
rubyonrails	rails	4.0.6
rubyonrails	rails	4.0.6:rc1
rubyonrails	rails	4.0.6:rc2
rubyonrails	rails	4.0.6:rc3
rubyonrails	rails	4.0.7
rubyonrails	rails	4.0.8
rubyonrails	rails	4.0.9
rubyonrails	rails	4.0.10
rubyonrails	rails	4.0.10:rc1
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.0:beta1
rubyonrails	rails	4.1.0:beta2
rubyonrails	rails	4.1.0:rc1
rubyonrails	rails	4.1.0:rc2
rubyonrails	rails	4.1.1
rubyonrails	rails	4.1.2
rubyonrails	rails	4.1.2:rc1
rubyonrails	rails	4.1.2:rc2
rubyonrails	rails	4.1.2:rc3
rubyonrails	rails	4.1.3
rubyonrails	rails	4.1.4
rubyonrails	rails	4.1.5
rubyonrails	rails	4.1.6
rubyonrails	rails	4.1.6:rc1
rubyonrails	rails	4.1.6:rc2
rubyonrails	rails	4.1.7
rubyonrails	rails	4.1.7.1
rubyonrails	rails	4.1.8
rubyonrails	rails	4.1.9
rubyonrails	rails	4.1.9:rc1
rubyonrails	rails	4.1.10
rubyonrails	rails	4.1.10:rc1
rubyonrails	rails	4.1.10:rc2
rubyonrails	rails	4.1.10:rc3
rubyonrails	rails	4.1.10:rc4
rubyonrails	rails	4.1.12
rubyonrails	rails	4.1.12:rc1
rubyonrails	rails	4.1.13
rubyonrails	rails	4.1.13:rc1
rubyonrails	rails	4.1.14
rubyonrails	rails	4.1.14:rc1
rubyonrails	rails	4.1.14:rc2
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0:beta1
rubyonrails	rails	4.2.0:beta2
rubyonrails	rails	4.2.0:beta3
rubyonrails	rails	4.2.0:beta4
rubyonrails	rails	4.2.0:rc1
rubyonrails	rails	4.2.0:rc2
rubyonrails	rails	4.2.0:rc3
rubyonrails	rails	4.2.1
rubyonrails	rails	4.2.1:rc1
rubyonrails	rails	4.2.1:rc2
rubyonrails	rails	4.2.1:rc3
rubyonrails	rails	4.2.1:rc4
rubyonrails	rails	4.2.2
rubyonrails	rails	4.2.3
rubyonrails	rails	4.2.3:rc1
rubyonrails	rails	4.2.4
rubyonrails	rails	4.2.4:rc1
rubyonrails	rails	4.2.5
rubyonrails	rails	4.2.5:rc1
rubyonrails	rails	4.2.5:rc2
rubyonrails	rails	5.0.0:beta1
rubyonrails	ruby_on_rails	𝑥 ≤ 3.2.22
rubyonrails	ruby_on_rails	4.0.10:rc2
rubyonrails	ruby_on_rails	4.0.11
rubyonrails	ruby_on_rails	4.0.11.1
rubyonrails	ruby_on_rails	4.0.12
rubyonrails	ruby_on_rails	4.0.13
rubyonrails	ruby_on_rails	4.0.13:rc1
rubyonrails	ruby_on_rails	4.1.11

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

rails

bookworm	2:6.1.7.3+dfsg-2~deb12u1 fixed
bullseye	2:6.0.3.7+dfsg-2+deb11u2 fixed
bullseye (security)	2:6.0.3.7+dfsg-2+deb11u2 fixed
sid	2:6.1.7.3+dfsg-4 fixed
trixie	2:6.1.7.3+dfsg-4 fixed
wheezy	not-affected

Ubuntu Releases

Ubuntu Product

Codename

rails

artful	ignored
bionic	not-affected
cosmic	not-affected
disco	not-affected
precise	not-affected
trusty	dne
vivid	Fixed 2:4.1.8-1+deb8u1build0.15.04.1 released
wily	ignored
xenial	not-affected
yakkety	ignored
zesty	ignored

rails-4.0

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	dne
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-actionpack-2.3

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	not-affected
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-actionpack-3.2

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	dne
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-activerecord-2.3

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	not-affected
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-activerecord-3.2

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	dne
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-activesupport-2.3

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	not-affected
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-activesupport-3.2

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	dne
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-rails-2.3

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	not-affected
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

ruby-rails-3.2

artful	dne
bionic	dne
cosmic	dne
disco	dne
precise	dne
trusty	dne
vivid	dne
wily	dne
xenial	dne
yakkety	dne
zesty	dne

Common Weakness Enumeration

CWE-254 -

References

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html

http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html

http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html

http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html

http://rhn.redhat.com/errata/RHSA-2016-0296.html

http://www.debian.org/security/2016/dsa-3464

http://www.openwall.com/lists/oss-security/2016/01/25/8

http://www.securityfocus.com/bid/81803

http://www.securitytracker.com/id/1034816

https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ