CVE-2018-1000119

Summary

CVE	CVE-2018-1000119
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2018-03-07 14:29:00 UTC
Updated	2020-08-24 17:37:00 UTC
Description	Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Risk And Classification

Problem Types: CWE-203

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Sinatrarb	Rack-protection	All	All	All	All
Application	Sinatrarb	Rack-protection	2.0.0	rc1	All	All
Application	Sinatrarb	Rack-protection	2.0.0	rc2	All	All
Application	Sinatrarb	Rack-protection	2.0.0	rc3	All	All
Application	Sinatrarb	Rack-protection	All	All	All	All
Application	Sinatrarb	Rack-protection	2.0.0	rc1	All	All
Application	Sinatrarb	Rack-protection	2.0.0	rc2	All	All
Application	Sinatrarb	Rack-protection	2.0.0	rc3	All	All

References

Reference	Source	Link	Tags
Use secure_compare when checking CSRF token by jeltz · Pull Request #98 · sinatra/rack-protection · GitHub	CONFIRM	github.com	Issue Tracking, Third Party Advisory
Red Hat Customer Portal	REDHAT	access.redhat.com	Third Party Advisory
Use secure_compare when checking CSRF token · sinatra/sinatra@8aa6c42 · GitHub	CONFIRM	github.com	Issue Tracking, Patch, Third Party Advisory
Debian -- Security Information -- DSA-4247-1 ruby-rack-protection	DEBIAN	www.debian.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

238742 Red Hat Update for Satellite 6.8 release (RHSA-2020:4366)
239228 Red Hat Update for Satellite 6.9 (RHSA-2021:1313)