Vulnerabilidad en Rack::Sesión::Cookie (CVE-2013-0263)
Gravedad CVSS v2.0:
MEDIA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/02/2013
Última modificación:
11/04/2025
Descripción
Rack::Sesión::Cookie en rack v1.5.x antes de v1.5.2, v1.4.x antes de v1.4.5, v1.3.x antes de v1.3.10, v1.2.x antes de v1.2.8, antes de v1.1.x y v1.1.6 permite atacantes remotos para adivinar la cookie de sesión, los privilegios de ganancia, y ejecutar código arbitrario a través de un ataque de sincronización que implica una función de comparación HMAC que no se ejecuta en tiempo constante.
Impacto
Puntuación base 2.0
5.10
Gravedad 2.0
MEDIA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://rack.github.com/
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52033
- http://secunia.com/advisories/52134
- http://secunia.com/advisories/52774
- http://www.debian.org/security/2013/dsa-2783
- http://www.osvdb.org/89939
- https://bugzilla.redhat.com/show_bug.cgi?id=909071
- https://gist.github.com/codahale/f9f3781f7b54985bee94
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
- https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
- https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
- https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
- https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
- https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
- https://puppet.com/security/cve/cve-2013-0263
- https://twitter.com/coda/statuses/299732877745197056
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://rack.github.com/
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52033
- http://secunia.com/advisories/52134
- http://secunia.com/advisories/52774
- http://www.debian.org/security/2013/dsa-2783
- http://www.osvdb.org/89939
- https://bugzilla.redhat.com/show_bug.cgi?id=909071
- https://gist.github.com/codahale/f9f3781f7b54985bee94
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
- https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
- https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
- https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
- https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
- https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
- https://puppet.com/security/cve/cve-2013-0263
- https://twitter.com/coda/statuses/299732877745197056