CVE-2009-3086
rails - several
EPSS 0.56%
Description
A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.
How to fix CVE-2009-3086
To remediate CVE-2009-3086, upgrade the affected package to a fixed version below.
- Debian/rails—upgrade to 2.2.3-1 or later
- Debian/rails—upgrade to 2.1.0-7+lenny0.2 or later
- RubyGems/actionpack—upgrade to 2.2.3 or later
- —upgrade to 2.2.3 or later
Is CVE-2009-3086 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.2.3-1
- from 0, < 2.1.0-7+lenny0.2
- >= 2.1.0, < 2.2.3
- >= 2.1.0, < 2.2.3