CVE-2013-0263 — Rack arbitrary code execution via timing attack

Description

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

How to fix CVE-2013-0263

To remediate CVE-2013-0263, upgrade the affected package to a fixed version below.

Debian/ruby-rack—upgrade to 1.4.1-2.1 or later
RubyGems/rack—upgrade to 1.5.2 or later

Is CVE-2013-0263 being exploited?

Moderate — EPSS is 16.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.4.1-2.1
>= 1.5.0, < 1.5.2

References (15)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-0263
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2013-0263
WEBlists.opensuse.org/opensuse-updates/2013-03/msg00048.html
WEBrhn.redhat.com/errata/RHSA-2013-0686.html
WEB