Vulnerability Description
Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Sinatrarb | Rack-Protection | < 1.5.5 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2018:1060Third Party Advisory
- https://github.com/sinatra/rack-protection/pull/98Issue TrackingThird Party Advisory
- https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547ecIssue TrackingPatchThird Party Advisory
- https://www.debian.org/security/2018/dsa-4247
- https://access.redhat.com/errata/RHSA-2018:1060Third Party Advisory
- https://github.com/sinatra/rack-protection/pull/98Issue TrackingThird Party Advisory
- https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547ecIssue TrackingPatchThird Party Advisory
- https://www.debian.org/security/2018/dsa-4247
FAQ
What is CVE-2018-1000119?
CVE-2018-1000119 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to b...
How severe is CVE-2018-1000119?
CVE-2018-1000119 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000119?
Check the references section above for vendor advisories and patch information. Affected products include: Sinatrarb Rack-Protection.