Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution

Metadata

medium
5.1
rack
CVE-2013-0263
osvdb.org
2013-02-07
2017-06-16 19:02
CVE-2013-0263 ruby-rack
CVE-2013-0263
2017-04-01 19:11
2017-01-05 20:15

Description

Rack contains a flaw that is due to an error in the Rack::Session::Cookie
function. Users of the Marshal session cookie encoding (the default), are
subject to a timing attack that may lead an attacker to execute arbitrary
code. This attack is more practical against 'cloud' users as intra-cloud
latencies are sufficiently low to make the attack viable.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Package Patched in Unaffected in
rack ~> 1.1.6,~> 1.2.8,~> 1.3.10,~> 1.4.5,>= 1.5.2 None