CVE-2013-0263

Published: Feb 8, 2013Modified: Apr 29, 2026

5.1

Vector

AV:N/AC:H/Au:N/C:P/I:P/A:P

Exploitability: 4.9 / Impact: 6.4

Source: NVD

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Affected (28)

Products: Rack Project: Rack

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Rack Project Rack	Version 1.5.0
Rack Project Rack	Version 1.5.1

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Rack Project Rack	Version 1.4.0
Rack Project Rack	Version 1.4.1
Rack Project Rack	Version 1.4.2
Rack Project Rack	Version 1.4.3
Rack Project Rack	Version 1.4.4

Configuration C

10 vulnerable

Vulnerable Software	Affected Versions
Rack Project Rack	Version 1.3.0
Rack Project Rack	Version 1.3.1
Rack Project Rack	Version 1.3.2
Rack Project Rack	Version 1.3.3
Rack Project Rack	Version 1.3.4
Rack Project Rack	Version 1.3.5
Rack Project Rack	Version 1.3.6
Rack Project Rack	Version 1.3.7
Rack Project Rack	Version 1.3.8
Rack Project Rack	Version 1.3.9

Configuration D

7 vulnerable

Vulnerable Software	Affected Versions
Rack Project Rack	Version 1.2.0
Rack Project Rack	Version 1.2.1
Rack Project Rack	Version 1.2.2
Rack Project Rack	Version 1.2.3
Rack Project Rack	Version 1.2.4
Rack Project Rack	Version 1.2.6
Rack Project Rack	Version 1.2.7

Configuration E

4 vulnerable

Vulnerable Software	Affected Versions
Rack Project Rack	Version 1.1.0
Rack Project Rack	Version 1.1.4
Rack Project Rack	Version 1.1.5
Rack Project Rack	Version 1.1.6

References (38)

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

Source: secalert@redhat.com

http://rack.github.com/

Source: secalert@redhat.com

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2013-0686.html

Source: secalert@redhat.com

http://secunia.com/advisories/52033

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/52134

Source: secalert@redhat.com

Vendor Advisory

http://secunia.com/advisories/52774

Source: secalert@redhat.com

http://www.debian.org/security/2013/dsa-2783

Source: secalert@redhat.com

http://www.osvdb.org/89939

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=909071

Source: secalert@redhat.com

https://gist.github.com/codahale/f9f3781f7b54985bee94

Source: secalert@redhat.com

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07

Source: secalert@redhat.com

https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

Source: secalert@redhat.com

https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J

Source: secalert@redhat.com

https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ

Source: secalert@redhat.com

https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

Source: secalert@redhat.com

https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ

Source: secalert@redhat.com

https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

Source: secalert@redhat.com

https://puppet.com/security/cve/cve-2013-0263

Source: secalert@redhat.com

https://twitter.com/coda/statuses/299732877745197056

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rack.github.com/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://rhn.redhat.com/errata/RHSA-2013-0686.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/52033

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/52134

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://secunia.com/advisories/52774

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2783

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.osvdb.org/89939

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=909071

Source: af854a3a-2127-422b-91ae-364da2661108

https://gist.github.com/codahale/f9f3781f7b54985bee94

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07

Source: af854a3a-2127-422b-91ae-364da2661108

https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

Source: af854a3a-2127-422b-91ae-364da2661108

https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J

Source: af854a3a-2127-422b-91ae-364da2661108

https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ

Source: af854a3a-2127-422b-91ae-364da2661108

https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

Source: af854a3a-2127-422b-91ae-364da2661108

https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ

Source: af854a3a-2127-422b-91ae-364da2661108

https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

Source: af854a3a-2127-422b-91ae-364da2661108

https://puppet.com/security/cve/cve-2013-0263

Source: af854a3a-2127-422b-91ae-364da2661108

https://twitter.com/coda/statuses/299732877745197056

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.