CVE-2018-1000119: Timing attack vulnerability

March 7, 2018 (updated July 28, 2018)

Sinatra rack-protection contains a timing attack vulnerability in the CSRF token checking that can result in signatures can be exposed. This attack appear to be exploitable via network connectivity to the ruby application.

References

github.com/sinatra/rack-protection/pull/98
github.com/sinatra/sinatra/commit/8aa6c42ef724f93ae309fb7c5668e19ad547eceb
nvd.nist.gov/vuln/detail/CVE-2018-1000119

Code Behaviors & Features

Detect and mitigate CVE-2018-1000119 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →