This is a duplicate of SNYK-RUBY-SINATRA-20488
sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.
Affected versions of the package are vulnerable to Timing Attack. It did not use a constant time comparison for the CSRF tokens. As a result, the comparison will fail faster when the first characters in the token are incorrect. An attacker can use this difference to perform a timing attack.
sinatra to version 2.0.0.beta2 or higher.
- Snyk ID
- 24 May, 2015
- 10 Jan, 2018