Skip to main content

Rack CVE-2019-16782

MEDIUM
Observable Timing Discrepancy (CWE-208)
2019-12-18 security-advisories@github.com
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

1
CVE Published
Dec 18, 2019 - 20:15 nvd
MEDIUM 5.9

DescriptionNVD

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

AnalysisAI

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Technical ContextAI

This vulnerability is classified under CWE-208. There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session. The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison. Affected products include: Rack, Fedoraproject Fedora, Opensuse Leap.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

More in Rack

View all
CVE-2026-22860 HIGH POC
7.5 Feb 18

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list

CVE-2024-26141 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2024-25126 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2020-8184 HIGH POC
7.5 Jun 19

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 tha

CVE-2022-30123 CRITICAL
10.0 Dec 05

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell

CVE-2025-25184 MEDIUM POC
5.7 Feb 12

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability

CVE-2026-25500 MEDIUM POC
5.4 Feb 18

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft

CVE-2020-8161 HIGH
8.6 Jul 02

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerabi

CVE-2013-0263 MEDIUM
5.1 Feb 08

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x

CVE-2025-46727 HIGH
7.5 May 07

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2015-3225 MEDIUM
5.0 Jul 26

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products

CVE-2025-59830 HIGH
7.5 Sep 25

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

Share

CVE-2019-16782 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy