Timing Attack

Affecting sinatra gem, versions <2.0.0.beta2

medium severity

Overview

sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

Affected versions of the package are vulnerable to Timing Attack. sinatra did not use a constant time comparison for the CSRF tokens. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack.

Remediation

Upgrade sinatra to version 2.0.0.beta2 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CWE
CWE-208
Snyk ID
SNYK-RUBY-SINATRA-20470
Disclosed
24 May, 2015
Published
10 Jan, 2018