Candidate: CVE-2018-1000119
PublicDate: 2018-03-07 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000119
 https://snyk.io/vuln/SNYK-RUBY-SINATRA-20470
 https://snyk.io/vuln/SNYK-RUBY-RACKPROTECTION-20395
 https://github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
Description:
 Sinatra rack-protection versions 1.5.4 and 2.0.0.rc3 and earlier contains a
 timing attack vulnerability in the CSRF token checking that can result in
 signatures can be exposed. This attack appear to be exploitable via network
 connectivity to the ruby application. This vulnerability appears to have
 been fixed in 1.5.5 and 2.0.0.
Ubuntu-Description:
Notes:
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892250
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_ruby-rack-protection:
upstream_ruby-rack-protection: released (1.5.3-2.1, 1.5.3-2+deb9u1)
precise/esm_ruby-rack-protection: DNE
trusty_ruby-rack-protection: ignored (reached end-of-life)
trusty/esm_ruby-rack-protection: DNE (trusty was needed)
xenial_ruby-rack-protection: released (1.5.3-2+deb9u1build0.16.04.1)
artful_ruby-rack-protection: ignored (reached end-of-life)
bionic_ruby-rack-protection: released (1.5.3-2+deb9u1build0.18.04.1)
cosmic_ruby-rack-protection: not-affected (3.6.0-2)
disco_ruby-rack-protection: not-affected (3.6.0-2)
devel_ruby-rack-protection: not-affected (3.6.0-2)