CVE-2013-0263

Rack <1.5.2, <1.4.5, <1.3.10, <1.2.8, <1.1.6 - RCE

Title source: llm
STIX 2.1

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

References (19)

Core 19
Core References
Various Sources x_refsource_confirm
https://puppet.com/security/cve/cve-2013-0263
Various Sources x_refsource_misc
https://twitter.com/coda/statuses/299732877745197056
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52774
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52033
Vendor Advisory x_refsource_confirm
http://rack.github.com/
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/52134
Issue Tracking x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=909071
Vendor Advisory vendor-advisory x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2013-0686.html
Mailing List vendor-advisory x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://www.osvdb.org/89939
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2013/dsa-2783

Scores

EPSS 0.1607
EPSS Percentile 94.8%

Details

Status published
Products (29)
rack_project/rack 1.5.0
rack_project/rack 1.5.1
rack_project/rack 1.4.0
rack_project/rack 1.4.1
rack_project/rack 1.4.2
rack_project/rack 1.4.3
rack_project/rack 1.4.4
rack_project/rack 1.3.0
rack_project/rack 1.3.1
rack_project/rack 1.3.2
... and 19 more
Published Feb 08, 2013
Tracked Since Feb 18, 2026