Vulnerability-Lookup

CVE-2015-7576 (GCVE-0-2015-7576)

Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-06 07:51

Summary

The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

GSD-2015-7576

Vulnerability from gsd - Updated: 2016-01-25 00:00

Details

There is a timing attack vulnerability in the basic authentication support in Action Controller. This vulnerability has been assigned the CVE identifier CVE-2015-7576. Versions Affected: All. Not affected: None. Fixed Versions: 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 Impact ------ Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. For example, this string comparison: "foo" == "bar" is possibly faster than this comparison: "foo" == "fo1" Attackers can use this information to attempt to guess the username and password used in the basic authentication system. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The FIXED releases are available at the normal locations. Workarounds ----------- If you can't upgrade, please use the following monkey patch in an initializer that is loaded before your application: ``` $ cat config/initializers/basic_auth_fix.rb module ActiveSupport module SecurityUtils def secure_compare(a, b) return false unless a.bytesize == b.bytesize l = a.unpack "C#{a.bytesize}" res = 0 b.each_byte { |byte| res |= byte ^ l.shift } res == 0 end module_function :secure_compare def variable_size_secure_compare(a, b) secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b)) end module_function :variable_size_secure_compare end end module ActionController class Base def self.http_basic_authenticate_with(options = {}) before_action(options.except(:name, :password, :realm)) do authenticate_or_request_with_http_basic(options[:realm] || "Application") do |name, password| # This comparison uses & so that it doesn't short circuit and # uses `variable_size_secure_compare` so that length information # isn't leaked. ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) & ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password]) end end end end end ``` Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 4-1-basic_auth.patch - Patch for 4.1 series * 4-2-basic_auth.patch - Patch for 4.2 series * 5-0-basic_auth.patch - Patch for 5.0 series Please note that only the 4.1.x and 4.2.x series are supported at present. Users of earlier unsupported releases are advised to upgrade as soon as possible as we cannot guarantee the continued availability of security fixes for unsupported releases. Credits ------- Thank you to Daniel Waterworth for reporting the problem and working with us to fix it.

Aliases

CVE-2015-7576

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2015-7576",
    "description": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.",
    "id": "GSD-2015-7576",
    "references": [
      "https://www.suse.com/security/cve/CVE-2015-7576.html",
      "https://www.debian.org/security/2016/dsa-3464",
      "https://access.redhat.com/errata/RHSA-2016:0455",
      "https://access.redhat.com/errata/RHSA-2016:0454",
      "https://access.redhat.com/errata/RHSA-2016:0296"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "actionpack",
            "purl": "pkg:gem/actionpack"
          }
        }
      ],
      "aliases": [
        "CVE-2015-7576",
        "GHSA-p692-7mm3-3fxg"
      ],
      "details": "There is a timing attack vulnerability in the basic authentication support\nin Action Controller. This vulnerability has been assigned the CVE\nidentifier CVE-2015-7576.\n\nVersions Affected:  All.\nNot affected:       None.\nFixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1\n\nImpact\n------\nDue to the way that Action Controller compares user names and passwords in\nbasic authentication authorization code, it is possible for an attacker to\nanalyze the time taken by a response and intuit the password.\n\nFor example, this string comparison:\n\n  \"foo\" == \"bar\"\n\nis possibly faster than this comparison:\n\n  \"foo\" == \"fo1\"\n\nAttackers can use this information to attempt to guess the username and\npassword used in the basic authentication system.\n\nYou can tell you application is vulnerable to this attack by looking for\n`http_basic_authenticate_with` method calls in your application.\n\nAll users running an affected release should either upgrade or use one of\nthe workarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nIf you can\u0027t upgrade, please use the following monkey patch in an initializer\nthat is loaded before your application:\n\n```\n$ cat config/initializers/basic_auth_fix.rb\nmodule ActiveSupport\n  module SecurityUtils\n    def secure_compare(a, b)\n      return false unless a.bytesize == b.bytesize\n\n      l = a.unpack \"C#{a.bytesize}\"\n\n      res = 0\n      b.each_byte { |byte| res |= byte ^ l.shift }\n      res == 0\n    end\n    module_function :secure_compare\n\n    def variable_size_secure_compare(a, b)\n      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))\n    end\n    module_function :variable_size_secure_compare\n  end\nend\n\nmodule ActionController\n  class Base\n    def self.http_basic_authenticate_with(options = {})\n      before_action(options.except(:name, :password, :realm)) do\n        authenticate_or_request_with_http_basic(options[:realm] || \"Application\") do |name, password|\n          # This comparison uses \u0026 so that it doesn\u0027t short circuit and\n          # uses `variable_size_secure_compare` so that length information\n          # isn\u0027t leaked.\n          ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) \u0026\n            ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])\n        end\n      end\n    end\n  end\nend\n```\n\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 4-1-basic_auth.patch - Patch for 4.1 series\n* 4-2-basic_auth.patch - Patch for 4.2 series\n* 5-0-basic_auth.patch - Patch for 5.0 series\n\nPlease note that only the 4.1.x and 4.2.x series are supported at present. Users\nof earlier unsupported releases are advised to upgrade as soon as possible as we\ncannot guarantee the continued availability of security fixes for unsupported\nreleases.\n\nCredits\n-------\n\nThank you to Daniel Waterworth for reporting the problem and working with us to\nfix it.\n",
      "id": "GSD-2015-7576",
      "modified": "2016-01-25T00:00:00.000Z",
      "published": "2016-01-25T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 4.3,
          "type": "CVSS_V2"
        },
        {
          "score": 3.7,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Timing attack vulnerability in basic authentication in Action Controller."
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2015-7576",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
            "refsource": "MLIST",
            "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
          },
          {
            "name": "FEDORA-2016-3ede04cd79",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
          },
          {
            "name": "openSUSE-SU-2016:0372",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
          },
          {
            "name": "openSUSE-SU-2016:0363",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
          },
          {
            "name": "FEDORA-2016-94e71ee673",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
          },
          {
            "name": "81803",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/81803"
          },
          {
            "name": "FEDORA-2016-f486068393",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
          },
          {
            "name": "SUSE-SU-2016:1146",
            "refsource": "SUSE",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
          },
          {
            "name": "1034816",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1034816"
          },
          {
            "name": "DSA-3464",
            "refsource": "DEBIAN",
            "url": "http://www.debian.org/security/2016/dsa-3464"
          },
          {
            "name": "RHSA-2016:0296",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
          },
          {
            "name": "FEDORA-2016-cb30088b06",
            "refsource": "FEDORA",
            "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
          },
          {
            "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
            "refsource": "MLIST",
            "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
          }
        ]
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2015-7576",
      "cvss_v2": 4.3,
      "cvss_v3": 3.7,
      "date": "2016-01-25",
      "description": "There is a timing attack vulnerability in the basic authentication support\nin Action Controller. This vulnerability has been assigned the CVE\nidentifier CVE-2015-7576.\n\nVersions Affected:  All.\nNot affected:       None.\nFixed Versions:     5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1\n\nImpact\n------\nDue to the way that Action Controller compares user names and passwords in\nbasic authentication authorization code, it is possible for an attacker to\nanalyze the time taken by a response and intuit the password.\n\nFor example, this string comparison:\n\n  \"foo\" == \"bar\"\n\nis possibly faster than this comparison:\n\n  \"foo\" == \"fo1\"\n\nAttackers can use this information to attempt to guess the username and\npassword used in the basic authentication system.\n\nYou can tell you application is vulnerable to this attack by looking for\n`http_basic_authenticate_with` method calls in your application.\n\nAll users running an affected release should either upgrade or use one of\nthe workarounds immediately.\n\nReleases\n--------\nThe FIXED releases are available at the normal locations.\n\nWorkarounds\n-----------\nIf you can\u0027t upgrade, please use the following monkey patch in an initializer\nthat is loaded before your application:\n\n```\n$ cat config/initializers/basic_auth_fix.rb\nmodule ActiveSupport\n  module SecurityUtils\n    def secure_compare(a, b)\n      return false unless a.bytesize == b.bytesize\n\n      l = a.unpack \"C#{a.bytesize}\"\n\n      res = 0\n      b.each_byte { |byte| res |= byte ^ l.shift }\n      res == 0\n    end\n    module_function :secure_compare\n\n    def variable_size_secure_compare(a, b)\n      secure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))\n    end\n    module_function :variable_size_secure_compare\n  end\nend\n\nmodule ActionController\n  class Base\n    def self.http_basic_authenticate_with(options = {})\n      before_action(options.except(:name, :password, :realm)) do\n        authenticate_or_request_with_http_basic(options[:realm] || \"Application\") do |name, password|\n          # This comparison uses \u0026 so that it doesn\u0027t short circuit and\n          # uses `variable_size_secure_compare` so that length information\n          # isn\u0027t leaked.\n          ActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) \u0026\n            ActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])\n        end\n      end\n    end\n  end\nend\n```\n\n\nPatches\n-------\nTo aid users who aren\u0027t able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 4-1-basic_auth.patch - Patch for 4.1 series\n* 4-2-basic_auth.patch - Patch for 4.2 series\n* 5-0-basic_auth.patch - Patch for 5.0 series\n\nPlease note that only the 4.1.x and 4.2.x series are supported at present. Users\nof earlier unsupported releases are advised to upgrade as soon as possible as we\ncannot guarantee the continued availability of security fixes for unsupported\nreleases.\n\nCredits\n-------\n\nThank you to Daniel Waterworth for reporting the problem and working with us to\nfix it.\n",
      "framework": "rails",
      "gem": "actionpack",
      "ghsa": "p692-7mm3-3fxg",
      "patched_versions": [
        "\u003e= 5.0.0.beta1.1",
        "~\u003e 4.2.5, \u003e= 4.2.5.1",
        "~\u003e 4.1.14, \u003e= 4.1.14.1",
        "~\u003e 3.2.22.1"
      ],
      "title": "Timing attack vulnerability in basic authentication in Action Controller.",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003e=5.0.0.alpha \u003c5.0.0.beta1.1||\u003e=4.2.0.alpha \u003c4.2.5.1||\u003e=4.0.0.alpha \u003c4.1.14.1||\u003c3.2.22.1",
          "affected_versions": "All versions starting from 5.0.0.alpha before 5.0.0.beta1.1, all versions starting from 4.2.0.alpha before 4.2.5.1, all versions starting from 4.0.0.alpha before 4.1.14.1, all versions before 3.2.22.1",
          "credit": "Daniel Waterworth",
          "cvss_v2": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-254",
            "CWE-937"
          ],
          "date": "2019-08-08",
          "description": "Due to the way that Action Controller compares user names and passwords in basic authentication authorization code, it is possible for an attacker to analyze the time taken by a response and intuit the password. You can tell you application is vulnerable to this attack by looking for `http_basic_authenticate_with` method calls in your application. ",
          "fixed_versions": [
            "3.2.22.1",
            "4.1.14.1",
            "4.2.5.1",
            "5.0.0.beta1.1"
          ],
          "identifier": "CVE-2015-7576",
          "identifiers": [
            "CVE-2015-7576"
          ],
          "package_slug": "gem/actionpack",
          "pubdate": "2016-02-15",
          "solution": "Upgrade to latest, apply patches or use workaround. See provided link.",
          "title": "Timing attack vulnerability in basic authentication",
          "urls": [
            "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
          ],
          "uuid": "3460469f-62d8-4337-98df-e740e0ab1d28"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "3.2.22",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2015-7576"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-254"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
            },
            {
              "name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.",
              "refsource": "MLIST",
              "tags": [],
              "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
            },
            {
              "name": "81803",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/81803"
            },
            {
              "name": "SUSE-SU-2016:1146",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
            },
            {
              "name": "FEDORA-2016-94e71ee673",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
            },
            {
              "name": "FEDORA-2016-cb30088b06",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
            },
            {
              "name": "RHSA-2016:0296",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
            },
            {
              "name": "FEDORA-2016-f486068393",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
            },
            {
              "name": "FEDORA-2016-3ede04cd79",
              "refsource": "FEDORA",
              "tags": [],
              "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
            },
            {
              "name": "openSUSE-SU-2016:0372",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
            },
            {
              "name": "openSUSE-SU-2016:0363",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
            },
            {
              "name": "DSA-3464",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2016/dsa-3464"
            },
            {
              "name": "1034816",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1034816"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM"
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 3.7,
            "baseSeverity": "LOW",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.0"
          },
          "exploitabilityScore": 2.2,
          "impactScore": 1.4
        }
      },
      "lastModifiedDate": "2019-08-08T15:43Z",
      "publishedDate": "2016-02-16T02:59Z"
    }
  }
}

CVE-2015-7576

Vulnerability from fstec - Published: 16.02.2016

Title

Уязвимость программной платформы Ruby on Rails, позволяющая нарушителю обойти процедуру аутентификации

Description

Уязвимость метода http_basic_authenticate_with method (actionpack/lib/action_controller/metal/http_authentication.rb) реализации Basic Authentication компонента Action Controller программной платформы Ruby on Rails связана с ошибками в настройках безопасности. Эксплуатация уязвимости может позволить нарушителю, действующему удалённо, обойти процедуру аутентификации при помощи измерения разниц во времени

Severity ?

Vendor

Rails Core Team

Software Name

Ruby on Rails

Software Version

до 3.2.22.1 (Ruby on Rails), от 4.0 до 4.1.14.1 (Ruby on Rails), от 4.2 до 4.2.5.1 (Ruby on Rails), от 5 до 5.0.0.beta1.1 (Ruby on Rails)

Possible Mitigations

Обновление программного средства до версии 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 или новее

Reference

https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ http://www.openwall.com/lists/oss-security/2016/01/25/8

CWE

CWE-254

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
  "CVSS 3.0": null,
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Rails Core Team",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "\u0434\u043e 3.2.22.1 (Ruby on Rails), \u043e\u0442 4.0 \u0434\u043e 4.1.14.1 (Ruby on Rails), \u043e\u0442 4.2 \u0434\u043e 4.2.5.1 (Ruby on Rails), \u043e\u0442 5 \u0434\u043e 5.0.0.beta1.1 (Ruby on Rails)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 5.0.0.beta1.1, 4.2.5.1, 4.1.14.1, 3.2.22.1 \u0438\u043b\u0438 \u043d\u043e\u0432\u0435\u0435",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "16.02.2016",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "23.03.2021",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "31.03.2016",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2016-00815",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2015-7576",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Ruby on Rails",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "\u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Linux . 64-bit, \u0421\u043e\u043e\u0431\u0449\u0435\u0441\u0442\u0432\u043e \u0441\u0432\u043e\u0431\u043e\u0434\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f Linux . 32-bit, Apple Inc. MacOS X 32-bit, Microsoft Corp Windows - 64-bit, Microsoft Corp Windows - 32-bit, Apple Inc. MacOS X 64-bit, Oracle Corp. Solaris . 64-bit, Oracle Corp. Solaris . 32-bit, Oracle Corp. Solaris . SPARC",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u042d\u043b\u0435\u043c\u0435\u043d\u0442\u044b \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (CWE-254)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043c\u0435\u0442\u043e\u0434\u0430 http_basic_authenticate_with method (actionpack/lib/action_controller/metal/http_authentication.rb) \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 Basic Authentication \u043a\u043e\u043c\u043f\u043e\u043d\u0435\u043d\u0442\u0430 Action Controller \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b Ruby on Rails \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0448\u0438\u0431\u043a\u0430\u043c\u0438 \u0432 \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0430\u0445 \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e, \u043e\u0431\u043e\u0439\u0442\u0438 \u043f\u0440\u043e\u0446\u0435\u0434\u0443\u0440\u0443 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u043f\u0440\u0438 \u043f\u043e\u043c\u043e\u0449\u0438 \u0438\u0437\u043c\u0435\u0440\u0435\u043d\u0438\u044f \u0440\u0430\u0437\u043d\u0438\u0446 \u0432\u043e \u0432\u0440\u0435\u043c\u0435\u043d\u0438",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": "-",
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ\nhttp://www.openwall.com/lists/oss-security/2016/01/25/8",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-254",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)"
}

GHSA-P692-7MM3-3FXG

Vulnerability from github – Published: 2017-10-24 18:33 – Updated: 2023-07-31 20:59

Summary

actionpack is vulnerable to remote bypass authentication

Details

Severity ?

3.7 (Low)


                  
                    CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.2.22.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.1.0"
            },
            {
              "fixed": "3.2.22.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.1.14.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionpack"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.1.14.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2015-7576"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:48:14Z",
    "nvd_published_at": "2016-02-16T02:59:00Z",
    "severity": "LOW"
  },
  "details": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.",
  "id": "GHSA-p692-7mm3-3fxg",
  "modified": "2023-07-31T20:59:11Z",
  "published": "2017-10-24T18:33:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-7576"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/commit/17e6f1507b7f2c2a883c180f4f9548445d6dfbd"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7576.yml"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/ANv0HDHEC3k"
    },
    {
      "type": "WEB",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20160405205300/http://www.securitytracker.com/id/1034816"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81803"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "actionpack is vulnerable to remote bypass authentication"
}

CERTFR-2016-AVI-037

Vulnerability from certfr_avis - Published: 2016-01-26 - Updated: 2016-01-26

De multiples vulnérabilités ont été corrigées dans Ruby On Rails. Certaines d'entre elles permettent à un attaquant de provoquer un déni de service à distance, un contournement de la politique de sécurité et une atteinte à l'intégrité des données.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 4.1.x antérieures à 4.1.14.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 4.2.x antérieures à 4.2.5.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 5.0.x antérieures à 5.0.0.beta1.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 3.2.x antérieures à 3.2.22.1

References

Title

Publication Time

CNVD-2016-00971

Vulnerability from cnvd - Published: 2016-02-16

Title

Ruby On Rails Action Controller信息泄露漏洞

Description

Ruby on Rails是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架。Action Controller是其中的一个MVC的C控制器组件。 Ruby On Rails Action Controller存在安全漏洞，允许远程攻击者可利用该漏洞提交特殊请求获取敏感信息。

Severity

中

Patch Name

Ruby On Rails Action Controller信息泄露漏洞的补丁

Patch Description

Ruby on Rails是Rails核心团队开发维护的一套基于Ruby语言的开源Web应用框架。Action Controller是其中的一个MVC的C控制器组件。 Ruby On Rails Action Controller存在安全漏洞，允许远程攻击者可利用该漏洞提交特殊请求获取敏感信息。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

用户可参考如下厂商提供的安全补丁以修复该漏洞： http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/

Reference

http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/

Impacted products

Name
Ruby on Rails Action Controller

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "81803"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-7576"
    }
  },
  "description": "Ruby on Rails\u662fRails\u6838\u5fc3\u56e2\u961f\u5f00\u53d1\u7ef4\u62a4\u7684\u4e00\u5957\u57fa\u4e8eRuby\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002Action Controller\u662f\u5176\u4e2d\u7684\u4e00\u4e2aMVC\u7684C\u63a7\u5236\u5668\u7ec4\u4ef6\u3002\r\n\r\nRuby On Rails Action Controller\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u8bf7\u6c42\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
  "discovererName": "Daniel Waterworth.",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u5382\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u8865\u4e01\u4ee5\u4fee\u590d\u8be5\u6f0f\u6d1e\uff1a\r\nhttp://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2016-00971",
  "openTime": "2016-02-16",
  "patchDescription": "Ruby on Rails\u662fRails\u6838\u5fc3\u56e2\u961f\u5f00\u53d1\u7ef4\u62a4\u7684\u4e00\u5957\u57fa\u4e8eRuby\u8bed\u8a00\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\u3002Action Controller\u662f\u5176\u4e2d\u7684\u4e00\u4e2aMVC\u7684C\u63a7\u5236\u5668\u7ec4\u4ef6\u3002\r\n\r\nRuby On Rails Action Controller\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63d0\u4ea4\u7279\u6b8a\u8bf7\u6c42\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Ruby On Rails Action Controller\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Ruby on Rails Action Controller"
  },
  "referenceLink": "http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/",
  "serverity": "\u4e2d",
  "submitTime": "2016-02-08",
  "title": "Ruby On Rails Action Controller\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e"
}

FKIE_CVE-2015-7576

Vulnerability from fkie_nvd - Published: 2016-02-16 02:59 - Updated: 2025-04-12 10:46

Severity ?

3.7 (Low) - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Summary

References

	URL	Tags
	secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
	secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
	secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
	secalert@redhat.com	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html
	secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
	secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
	secalert@redhat.com	http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
	secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2016-0296.html
	secalert@redhat.com	http://www.debian.org/security/2016/dsa-3464
	secalert@redhat.com	http://www.openwall.com/lists/oss-security/2016/01/25/8
	secalert@redhat.com	http://www.securityfocus.com/bid/81803
	secalert@redhat.com	http://www.securitytracker.com/id/1034816
	secalert@redhat.com	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ
	af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html
	af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html
	af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2016-0296.html
	af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2016/dsa-3464
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2016/01/25/8
	af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/81803
	af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1034816
	af854a3a-2127-422b-91ae-364da2661108	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ

Impacted products

Vendor	Product	Version
rubyonrails	rails	4.0.0
rubyonrails	rails	4.0.0
rubyonrails	rails	4.0.0
rubyonrails	rails	4.0.0
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.1
rubyonrails	rails	4.0.2
rubyonrails	rails	4.0.3
rubyonrails	rails	4.0.4
rubyonrails	rails	4.0.4
rubyonrails	rails	4.0.5
rubyonrails	rails	4.0.6
rubyonrails	rails	4.0.6
rubyonrails	rails	4.0.6
rubyonrails	rails	4.0.6
rubyonrails	rails	4.0.7
rubyonrails	rails	4.0.8
rubyonrails	rails	4.0.9
rubyonrails	rails	4.0.10
rubyonrails	rails	4.0.10
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.0
rubyonrails	rails	4.1.1
rubyonrails	rails	4.1.2
rubyonrails	rails	4.1.2
rubyonrails	rails	4.1.2
rubyonrails	rails	4.1.2
rubyonrails	rails	4.1.3
rubyonrails	rails	4.1.4
rubyonrails	rails	4.1.5
rubyonrails	rails	4.1.6
rubyonrails	rails	4.1.6
rubyonrails	rails	4.1.6
rubyonrails	rails	4.1.7
rubyonrails	rails	4.1.7.1
rubyonrails	rails	4.1.8
rubyonrails	rails	4.1.9
rubyonrails	rails	4.1.9
rubyonrails	rails	4.1.10
rubyonrails	rails	4.1.10
rubyonrails	rails	4.1.10
rubyonrails	rails	4.1.10
rubyonrails	rails	4.1.10
rubyonrails	rails	4.1.12
rubyonrails	rails	4.1.12
rubyonrails	rails	4.1.13
rubyonrails	rails	4.1.13
rubyonrails	rails	4.1.14
rubyonrails	rails	4.1.14
rubyonrails	rails	4.1.14
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.0
rubyonrails	rails	4.2.1
rubyonrails	rails	4.2.1
rubyonrails	rails	4.2.1
rubyonrails	rails	4.2.1
rubyonrails	rails	4.2.1
rubyonrails	rails	4.2.2
rubyonrails	rails	4.2.3
rubyonrails	rails	4.2.3
rubyonrails	rails	4.2.4
rubyonrails	rails	4.2.4
rubyonrails	rails	4.2.5
rubyonrails	rails	4.2.5
rubyonrails	rails	4.2.5
rubyonrails	rails	5.0.0
rubyonrails	ruby_on_rails	*
rubyonrails	ruby_on_rails	4.0.10
rubyonrails	ruby_on_rails	4.0.11
rubyonrails	ruby_on_rails	4.0.11.1
rubyonrails	ruby_on_rails	4.0.12
rubyonrails	ruby_on_rails	4.0.13
rubyonrails	ruby_on_rails	4.0.13
rubyonrails	ruby_on_rails	4.1.11

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
              "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*",
              "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E",
              "versionEndIncluding": "3.2.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."
    },
    {
      "lang": "es",
      "value": "El m\u00e9todo http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementaci\u00f3n Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea m\u00e1s f\u00e1cil para atacantes remotos eludir la autenticaci\u00f3n mediante la medici\u00f3n de las diferencias de temporizaci\u00f3n."
    }
  ],
  "id": "CVE-2015-7576",
  "lastModified": "2025-04-12T10:46:40.837",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.7,
          "baseSeverity": "LOW",
          "confidentialityImpact": "LOW",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
          "version": "3.0"
        },
        "exploitabilityScore": 2.2,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2016-02-16T02:59:00.110",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/81803"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2016/dsa-3464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/81803"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1034816"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-254"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2015-7576 (GCVE-0-2015-7576)

GSD-2015-7576

CVE-2015-7576

GHSA-P692-7MM3-3FXG

CERTFR-2016-AVI-037

Solution

CNVD-2016-00971

FKIE_CVE-2015-7576

Tags

Sightings

Nomenclature