borja/herocalf

Vulnerabilities 1 via 3 paths
Dependencies 28
Source GitHub
Commit 27254fad

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0
medium severity

Information Exposure

  • Vulnerable module: rack
  • Introduced through: rack-test@1.1.0 and sinatra@2.0.7

Detailed paths

  • Introduced through: borja/herocalf@borja/herocalf#27254fadcafd43a36d333cb1f3c60a2556baade6 rack-test@1.1.0 rack@2.0.7
    Remediation: Upgrade to rack-test@1.1.0.
  • Introduced through: borja/herocalf@borja/herocalf#27254fadcafd43a36d333cb1f3c60a2556baade6 sinatra@2.0.7 rack@2.0.7
    Remediation: Upgrade to sinatra@2.0.7.
  • Introduced through: borja/herocalf@borja/herocalf#27254fadcafd43a36d333cb1f3c60a2556baade6 sinatra@2.0.7 rack-protection@2.0.7 rack@2.0.7
    Remediation: Upgrade to sinatra@2.0.7.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Information Exposure. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

Remediation

Upgrade rack to version 1.6.12, 2.0.8 or higher.

References