CVE-2015-7576
rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller
Severity Score
Exploit Likelihood
Affected Versions
86Public Exploits
0Exploited in Wild
-Decision
Descriptions
The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.
El método http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementación Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea más fácil para atacantes remotos eludir la autenticación mediante la medición de las diferencias de temporización.
A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack.
The rh-ror41 collection provides Ruby on Rails version 4.1. Ruby on Rails is a model-view-controller framework for web application development. The following issue was corrected in rubygem-actionpack and rubygem-actionview: A directory traversal flaw was found in the way the Action View component searched for templates for rendering. If an application passed untrusted input to the 'render' method, a remote, unauthenticated attacker could use this to render unexpected files and, possibly, execute arbitrary code.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2015-09-29 CVE Reserved
- 2016-02-01 CVE Published
- 2024-08-06 CVE Updated
- 2025-04-03 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-254: 7PK - Security Features
- CWE-385: Covert Timing Channel
CAPEC
References (15)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2016/01/25/8 | Mailing List |
|
| http://www.securityfocus.com/bid/81803 | Vdb Entry | |
| http://www.securitytracker.com/id/1034816 | Vdb Entry | |
| https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/... | Mailing List |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|