Timing Vulnerability in Basic Authentication of Ruby on Rails by Action Controller
CVE-2015-7576

3.7LOW

Key Information:

Vendor

Rubyonrails

Status
Ruby On Rails
Rails
Vendor
CVE Published:
16 February 2016

What is CVE-2015-7576?

The Basic Authentication implementation in Action Controller of Ruby on Rails contains a timing attack vulnerability that allows remote attackers to bypass authentication mechanisms. Specifically, the method responsible for verifying credentials does not utilize a constant-time algorithm, enabling attackers to exploit timing variations to gain unauthorized access.

References

http://www.openwall.com/lists/oss-security/2016/01/25/8
mailing-listx_refsource_MLIST
http://lists.fedoraproject.org/pipermail/package-announce...
vendor-advisoryx_refsource_FEDORA
http://lists.opensuse.org/opensuse-updates/2016-02/msg000...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.