CVE-2019-16779
16.12.2019, 20:15
In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.
| Vendor | Product | Version |
|---|---|---|
| excon_project | excon | 𝑥 < 0.71.0 |
| opensuse | backports_sle | 15.0:sp1 |
| opensuse | leap | 15.1 |
| debian | debian_linux | 8.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-664 - Improper Control of a Resource Through its LifetimeThe software does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')The program contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.
References