GHSA-5jjv-x4fq-qjwp

Опубликовано: 05 окт. 2020

Источник: github

Github: Прошло ревью

CVSS3: 5.9

Описание

Possible timing attack in derivation_endpoint

Impact

When using the derivation_endpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL.

Patches

The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.secure_compare. Users using the derivation_endpoint plugin are urged to upgrade to Shrine 3.3.0 or greater.

Workarounds

Users of older Shrine versions can apply the following monkey-patch after loading the derivation_endpoint plugin:

class Shrine class UrlSigner def verify_signature(string, signature) if signature.nil? fail InvalidSignature, "missing \"signature\" param" elsif !Rack::Utils.secure_compare(signature, generate_signature(string)) fail InvalidSignature, "provided signature does not match the calculated signature" end end end end

References

You can read more about timing attacks here.

Ссылки

Пакеты

Наименование

shrine

rubygems

Затронутые версииВерсия исправления

< 3.3.0

3.3.0

EPSS

Процентиль: 54%

0.00316

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2020-15237

Дефекты

CWE-203

CWE-208

Связанные уязвимости

CVE-2020-15237

CVSS3: 5.9

nvd

больше 5 лет назад

In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory.

EPSS

Процентиль: 54%

0.00316

Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2020-15237

Дефекты

CWE-203

CWE-208