CVE-2015-3225
rack Critical
Denial of Service
Discovered 7 months ago
Published about 6 years ago
Category: Denial of Service
Severity: Critical

Carefully crafted requests can cause a SystemStackError and potentially cause a denial of service attack.

All users running an affected release should upgrade.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 1.6.2 ~> 1.5.4 ~> 1.4.6

Unaffected Versions

n/a

References

n/a

CVE-2020-8161
rack Critical
File Access
Discovered 7 months ago
Published about 1 year ago
Category: File Access
Severity: Critical

There was a possible directory traversal vulnerability in the Rack::Directory app that is bundled with Rack.

Versions Affected: rack < 2.2.0 Not affected: Applications that do not use Rack::Directory. Fixed Versions: 2.1.3, >= 2.2.0

Impact

If certain directories exist in a director that is managed by Rack::Directory, an attacker could, using this vulnerability, read the contents of files on the server that were outside of the root specified in the Rack::Directory initializer.

Workarounds

Until such time as the patch is applied or their Rack version is upgraded, we recommend that developers do not use Rack::Directory in their applications.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 2.1.3 >= 2.2.0

Unaffected Versions

n/a

References

n/a

CVE-2018-16471
rack Severe
Cross-Site Scripting
Discovered 7 months ago
Published over 2 years ago
Category: Cross-Site Scripting
Severity: Severe

There is a possible vulnerability in Rack. This vulnerability has been assigned the CVE identifier CVE-2018-16471.

Versions Affected: All. Not affected: None. Fixed Versions: 2.0.6, 1.6.11

Impact

There is a possible XSS vulnerability in Rack. Carefully crafted requests can impact the data returned by the scheme method on Rack::Request. Applications that expect the scheme to be limited to “http” or “https” and do not escape the return value could be vulnerable to an XSS attack.

Vulnerable code looks something like this:

<%= request.scheme.html_safe %>

Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

All users running an affected release should either upgrade or use one of the workarounds immediately.

Releases

The 2.0.6 and 1.6.11 releases are available at the normal locations.

Workarounds

The following monkey patch can be applied to work around this issue:

require "rack"
require "rack/request"

class Rack::Request
SCHEME_WHITELIST = %w(https http).freeze

def scheme
  if get_header(Rack::HTTPS) == 'on'
    'https'
  elsif get_header(HTTP_X_FORWARDED_SSL) == 'on'
    'https'
  elsif forwarded_scheme
    forwarded_scheme
  else
    get_header(Rack::RACK_URL_SCHEME)
  end
end

def forwarded_scheme
  scheme_headers = [
    get_header(HTTP_X_FORWARDED_SCHEME),
    get_header(HTTP_X_FORWARDED_PROTO).to_s.split(',')[0]
  ]

  scheme_headers.each do |header|
    return header if SCHEME_WHITELIST.include?(header)
  end

  nil
end
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 1.6.11 >= 2.0.6

Unaffected Versions

n/a

References

n/a

CVE-2019-16782
rack Severe
Information Disclosure
Discovered 7 months ago
Published over 1 year ago
Category: Information Disclosure
Source: GitHub
Severity: Severe

There’s a possible information leak / session hijack vulnerability in Rack.

Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

Impact:

The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 1.6.12 >= 2.0.8

Unaffected Versions

n/a

References

n/a

CVE-2009-4123
jruby-openssl Severe
SSL Verification Bypass
Discovered 7 months ago
Published over 11 years ago
Category: SSL Verification Bypass
Source: jruby.org
Severity: Severe

A security problem involving peer certificate verification was found where failed verification silently did nothing, making affected applications vulnerable to attackers. Attackers could lead a client application to believe that a secure connection to a rogue SSL server is legitimate. Attackers could also penetrate client-validated SSL server applications with a dummy certificate.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 0.6

Unaffected Versions

n/a

References

n/a

CVE-2020-8184
rack Severe
Cross-Site Request Forgery
Discovered 7 months ago
Published about 1 year ago
Category: Cross-Site Request Forgery
Severity: Severe

It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated into processing an insecure or cross-origin request. This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4 Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact

An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application.

Workarounds

If your application is impacted but you cannot upgrade to the released versions or apply the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
  module Utils
    module_function def parse_cookies_header(header)
      return {} unless header
      header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
        next if cookie.empty?
        key, value = cookie.split('=', 2)
        cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
      end
    end
  end
end
CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

~> 2.1.4 >= 2.2.3

Unaffected Versions

n/a

References

n/a

CVE-2013-0256 / OSVDB-90004
rdoc Moderate
Cross-Site Scripting
Discovered 7 months ago
Published over 8 years ago
Category: Cross-Site Scripting
Source: NIST NVD
Severity: Moderate

Doc documentation generated by rdoc 2.3.0 through rdoc 3.12 and prereleases up to rdoc 4.0.0.preview2.1 are vulnerable to an XSS exploit. This exploit may lead to cookie disclosure to third parties.

The exploit exists in darkfish.js which is copied from the RDoc install location to the generated documentation.

RDoc is a static documentation generation tool. Patching the library itself is insufficient to correct this exploit.

This exploit was discovered by Evgeny Ermakov corwmh@gmail.com.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Network None None Partial None
Patched Versions

~> 3.9.5 ~> 3.12.1 >= 4.0

Unaffected Versions

n/a

References

n/a