Affecting sinatra gem, versions <2.0.0.beta2
sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Affected versions of the package are vulnerable to Timing Attack.
sinatra did not use a constant time comparison for the CSRF tokens. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack.
sinatra to version 2.0.0.beta2 or higher.
Do your applications use this vulnerable package?
- Snyk ID
- 24 May, 2015
- 10 Jan, 2018