CVE-2020-15237

Published 26 days ago
Category: Other
Source: GitHub
Severity: Moderate

Vulnerability in shrine

Impact

When using the derivation_endpoint plugin, it’s possible for the attacker to use a timing attack to guess the signature of the derivation URL.

Patches

The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.secure_compare. Users using the derivation_endpoint plugin are urged to upgrade to Shrine 3.3.0 or greater.

Workarounds

Users of older Shrine versions can apply the following monkey-patch after loading the derivation_endpoint plugin:

class Shrine
  class UrlSigner
    def verify_signature(string, signature)
      if signature.nil?
        fail InvalidSignature, "missing \"signature\" param"
      elsif !Rack::Utils.secure_compare(signature, generate_signature(string))
        fail InvalidSignature, "provided signature does not match the calculated signature"
      end
    end
  end
end

References

You can read more about timing attacks here.

CVSS Metrics
Access Vector Access Complexity Authentication Confidentiality Impact Integrity Impact Availability Impact
n/a n/a n/a n/a n/a n/a
Patched Versions

>= 3.3.0

Unaffected Versions

n/a

References

n/a