CVE-2013-0263
First published: Fri Feb 08 2013(Updated: )
James Tucker (raggi) reports: CVE: <a href="https://access.redhat.com/security/cve/CVE-2013-0263">CVE-2013-0263</a> Software: Rack (rack.github.com) Type of vulnerability: Timing attack, leading to potential RCE Vulnerable code: <a href="https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149">https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149</a> Patch: <a href="https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07">https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07</a> <a href="https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11">https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11</a> Versions affected: All prior versions. Versions fixed: 1.1.6, 1.2.8, 1.3.10, 1.4.5, 1.5.2 Reporter: Ben Murphy Reference: <a href="http://seclists.org/oss-sec/2013/q1/271">http://seclists.org/oss-sec/2013/q1/271</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/candlepin | <0:0.7.24-1.el6_3 | 0:0.7.24-1.el6_3 |
| redhat/katello | <0:1.2.1.1-1h.el6_4 | 0:1.2.1.1-1h.el6_4 |
| redhat/katello-configure | <0:1.2.3.1-4h.el6_4 | 0:1.2.3.1-4h.el6_4 |
| redhat/rubygem-actionpack | <1:3.0.10-12.el6cf | 1:3.0.10-12.el6cf |
| redhat/rubygem-activemodel | <0:3.0.10-3.el6cf | 0:3.0.10-3.el6cf |
| redhat/rubygem-json | <0:1.7.3-2.el6_3 | 0:1.7.3-2.el6_3 |
| redhat/rubygem-nokogiri | <0:1.5.0-0.9.beta4.el6cf | 0:1.5.0-0.9.beta4.el6cf |
| redhat/rubygem-rack | <1:1.3.0-4.el6cf | 1:1.3.0-4.el6cf |
| redhat/rubygem-rdoc | <0:3.8-6.el6cf | 0:3.8-6.el6cf |
| redhat/thumbslug | <0:0.0.28.1-1.el6_4 | 0:0.0.28.1-1.el6_4 |
| redhat/jenkins | <0:1.502-1.el6 | 0:1.502-1.el6 |
| redhat/openshift-origin-cartridge-jenkins | <1.4-0:1.0.3-1.el6 | 1.4-0:1.0.3-1.el6 |
| redhat/ruby193-rubygem-rack | <1:1.4.1-4.el6 | 1:1.4.1-4.el6 |
| redhat/rubygem-rack | <1:1.3.0-4.el6 | 1:1.3.0-4.el6 |
| Rack-Project Rack | =1.5.0 | |
| Rack-Project Rack | =1.5.1 | |
| Rack-Project Rack | =1.4.0 | |
| Rack-Project Rack | =1.4.1 | |
| Rack-Project Rack | =1.4.2 | |
| Rack-Project Rack | =1.4.3 | |
| Rack-Project Rack | =1.4.4 | |
| Rack-Project Rack | =1.3.0 | |
| Rack-Project Rack | =1.3.1 | |
| Rack-Project Rack | =1.3.2 | |
| Rack-Project Rack | =1.3.3 | |
| Rack-Project Rack | =1.3.4 | |
| Rack-Project Rack | =1.3.5 | |
| Rack-Project Rack | =1.3.6 | |
| Rack-Project Rack | =1.3.7 | |
| Rack-Project Rack | =1.3.8 | |
| Rack-Project Rack | =1.3.9 | |
| Rack-Project Rack | =1.2.0 | |
| Rack-Project Rack | =1.2.1 | |
| Rack-Project Rack | =1.2.2 | |
| Rack-Project Rack | =1.2.3 | |
| Rack-Project Rack | =1.2.4 | |
| Rack-Project Rack | =1.2.6 | |
| Rack-Project Rack | =1.2.7 | |
| Rack-Project Rack | =1.1.0 | |
| Rack-Project Rack | =1.1.4 | |
| Rack-Project Rack | =1.1.5 | |
| Rack-Project Rack | =1.1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2013-0263 https://nvd.nist.gov/vuln/detail/CVE-2013-0263
- https://bugzilla.redhat.com/show_bug.cgi?id=909071
- https://access.redhat.com/errata/RHSA-2013:0686
- https://access.redhat.com/errata/RHSA-2013:0638
- https://access.redhat.com/security/cve/CVE-2013-0263
- https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb#L149
- https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
- https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
- http://seclists.org/oss-sec/2013/q1/271
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=909088
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=909091
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=696259&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=696259&action=edit
- https://github.com/rack/rack/commit/feea59c1abacd455c222bfee67541b1078378929
- https://github.com/rack/rack/commit/26c8500e9c49a0e625e1bd8d7158cabdfa2e17ae
- https://rhn.redhat.com/errata/RHSA-2013-0638.html
- https://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
- http://rack.github.com/
- http://rhn.redhat.com/errata/RHSA-2013-0686.html
- http://secunia.com/advisories/52033
- http://secunia.com/advisories/52134
- http://secunia.com/advisories/52774
- http://www.debian.org/security/2013/dsa-2783
- http://www.osvdb.org/89939
- https://gist.github.com/codahale/f9f3781f7b54985bee94
- https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
- https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
- https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
- https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
- https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
- https://puppet.com/security/cve/cve-2013-0263
- https://twitter.com/coda/statuses/299732877745197056
Frequently Asked Questions
What is the severity of CVE-2013-0263?
CVE-2013-0263 is classified as a timing attack vulnerability with the potential for remote code execution.
How do I fix CVE-2013-0263?
To mitigate CVE-2013-0263, upgrade to the corrected versions of affected software as listed in the official advisory.
Which software versions are affected by CVE-2013-0263?
CVE-2013-0263 affects specific versions of Rack and associated packages including specific versions of candlepin, katello, and others.
What types of vulnerabilities are associated with CVE-2013-0263?
CVE-2013-0263 is associated with a timing attack that may expose sensitive information or allow unauthorized access.
Is CVE-2013-0263 included in any security patches?
Yes, CVE-2013-0263 is addressed in specific security updates provided by Red Hat as part of their advisory.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/severity
- agent/author
- agent/description
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2013-0263
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/rack project
- canonical/rack-project rack
- version/rack-project rack/1.5.0
- version/rack-project rack/1.5.1
- version/rack-project rack/1.4.0
- version/rack-project rack/1.4.1
- version/rack-project rack/1.4.2
- version/rack-project rack/1.4.3
- version/rack-project rack/1.4.4
- version/rack-project rack/1.3.0
- version/rack-project rack/1.3.1
- version/rack-project rack/1.3.2
- version/rack-project rack/1.3.3
- version/rack-project rack/1.3.4
- version/rack-project rack/1.3.5
- version/rack-project rack/1.3.6
- version/rack-project rack/1.3.7
- version/rack-project rack/1.3.8
- version/rack-project rack/1.3.9
- version/rack-project rack/1.2.0
- version/rack-project rack/1.2.1
- version/rack-project rack/1.2.2
- version/rack-project rack/1.2.3
- version/rack-project rack/1.2.4
- version/rack-project rack/1.2.6
- version/rack-project rack/1.2.7
- version/rack-project rack/1.1.0
- version/rack-project rack/1.1.4
- version/rack-project rack/1.1.5
- version/rack-project rack/1.1.6