CVE-2018-1000119

Impact:
Moderate
Public Date:
2015-05-25
CWE:
CWE-385
Bugzilla:
1534027: CVE-2018-1000119 rack-protection: Timing attack in authenticity_token.rb

The MITRE CVE dictionary describes this issue as:

Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.

Find out more about CVE-2018-1000119 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue affects the versions of rubygem-rack-protection as shipped with Red Hat Satellite 6. Red Hat Product Security has rated this issue as having security impact of Low. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v3 metrics

CVSS3 Base Score 3.7
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat Enterprise Linux 7 (pcs) RHSA-2018:1060 2018-04-10

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-ror41-rubygem-rack-protection Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-ror42-rubygem-rack-protection Will not fix
Red Hat Software Collections for Red Hat Enterprise Linux rh-ror50-rubygem-rack-protection Will not fix
Red Hat Satellite 6 rubygem-rack-protection Will not fix
Red Hat OpenStack Platform Operational Tools 9 rubygem-rack-protection Will not fix
Red Hat OpenStack Platform 13.0 Operational Tools for RHEL 7 rubygem-rack-protection Will not fix
Red Hat OpenStack Platform 12.0 Operational Tools for RHEL 7 rubygem-rack-protection Will not fix
Red Hat OpenStack Platform 11.0 Operational Tools for RHEL 7 rubygem-rack-protection Will not fix
Red Hat OpenStack Platform 10.0 Operational Tools for RHEL 7 rubygem-rack-protection Will not fix
Red Hat Gluster Storage 3 pcs Will not fix
Red Hat Gluster Storage 3 rubygem-rack-protection Will not fix
Red Hat Enterprise Linux OpenStack Platform 8.0 Operational Tools for RHEL 7 rubygem-rack-protection Will not fix
Red Hat Enterprise Linux OpenStack Platform 7.0 Operational Tools for RHEL 7 rubygem-rack-protection Will not fix
Red Hat Enterprise Linux 8 rubygem-rack-protection Not affected
Red Hat Enterprise Linux 6 pcs Will not fix
Red Hat Ceph Storage 1.3 rubygem-rack-protection Will not fix
Last Modified

CVE description copyright © 2017, The MITRE Corporation