CVE-2018-1000119

{"id": "CVE-2018-1000119", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}]}, "published": "2018-03-07T14:29:00.390", "references": [{"url": "https://access.redhat.com/errata/RHSA-2018:1060", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/sinatra/rack-protection/pull/98", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb#commitcomment-27964109", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.debian.org/security/2018/dsa-4247", "source": "cve@mitre.org"}, {"url": "https://access.redhat.com/errata/RHSA-2018:1060", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/sinatra/rack-protection/pull/98", "tags": ["Issue Tracking", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb#commitcomment-27964109", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2018/dsa-4247", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-203"}]}], "descriptions": [{"lang": "en", "value": "Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application. This vulnerability appears to have been fixed in 1.5.5 and 2.0.0."}, {"lang": "es", "value": "Sinatra rack-protection, en versiones 1.5.4, 2.0.0.rc3 y anteriores, contiene una vulnerabilidad de ataque de sincronizaci\u00f3n en la comprobaci\u00f3n de token CSRF que puede resultar en que las firmas queden expuestas. Este ataque parece ser explotable mediante conectividad de red en la aplicaci\u00f3n Ruby. La vulnerabilidad parece haber sido solucionada en las versiones 1.5.5 y 2.0.0."}], "lastModified": "2024-11-21T03:39:41.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sinatrarb:rack-protection:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AF14FDB6-1F06-40E9-8F0B-8683865A97D2", "versionEndExcluding": "1.5.5"}, {"criteria": "cpe:2.3:a:sinatrarb:rack-protection:2.0.0:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF103D03-A341-40A0-A4A7-A79E0A2F6E0E"}, {"criteria": "cpe:2.3:a:sinatrarb:rack-protection:2.0.0:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB3A8773-F11D-408C-8E75-7D8102212138"}, {"criteria": "cpe:2.3:a:sinatrarb:rack-protection:2.0.0:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B98EB8D6-5942-4A49-AA49-BF9C3FA83E87"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}