Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-3086

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2009-3086
Last Modified 06 Jul 2012 01:08:40
Published 08 Sep 2009 02:30:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2009-3086

Summary

A certain algorithm in Ruby on Rails 2.1.0 through 2.2.2, and 2.3.x before 2.3.4, leaks information about the complexity of message-digest signature verification in the cookie store, which might allow remote attackers to forge a digest via multiple attempts.

Vulnerable Systems

Application

  • Ruby On Rails 2.1

  • Ruby On Rails 2.1.0

  • Ruby On Rails 2.1.1

  • Ruby On Rails 2.2.2

  • Ruby On Rails 2.3.2

  • Ruby On Rails 2.3.3

  • Rubyonrails Ruby On Rails 2.1

  • Rubyonrails Ruby On Rails 2.1.0

  • Rubyonrails Ruby On Rails 2.1.1

  • Rubyonrails Ruby On Rails 2.1.2

  • Rubyonrails Ruby On Rails 2.2.0

  • Rubyonrails Ruby On Rails 2.2.1

  • Rubyonrails Ruby On Rails 2.2.2

  • Rubyonrails Ruby On Rails 2.3.2

  • Rubyonrails Ruby On Rails 2.3.3


References

CONFIRM - http://weblog.rubyonrails.org/2009/9/4/timing-weakness-in-ruby-on-rails

VUPEN - ADV-2009-2544

BID - 37427

DEBIAN - DSA-2260

SECUNIA - 36600

SUSE - SUSE-SR:2009:017


Last Updated: 27 May 2016 10:54:50