Ruby 信息泄露漏洞

漏洞介绍

Ruby是松本行弘软件开发者的一种跨平台、面向对象的动态类型编程语言。

Rack中存在安全漏洞。攻击者可通过对会话ID进行时序攻击利用该漏洞劫持会话。

漏洞补丁

目前厂商已发布升级了Ruby 信息泄露漏洞的补丁，Ruby 信息泄露漏洞的补丁获取链接：

https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

参考网址

来源:MLIST

链接：http://www.openwall.com/lists/oss-security/2019/12/18/2

来源:FEDORA

链接：https://lists.fedoraproject.org/archives/list/[email protected]/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX/

来源:www.openwall.com

链接：http://www.openwall.com/lists/oss-security/2019/12/18/3

来源:CONFIRM

链接：https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38

来源:MLIST

链接：http://www.openwall.com/lists/oss-security/2019/12/19/3

来源:github.com

链接：https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

来源:www.suse.com

链接：https://www.suse.com/support/update/announcement/2020/suse-su-20200359-1.html

来源:www.vuxml.org

链接：http://www.vuxml.org/freebsd/66e4dc99-28b3-11ea-8dde-08002728f74c.html

来源:vigilance.fr

链接：https://vigilance.fr/vulnerability/RubyGem-Rack-privilege-escalation-via-Session-ID-Time-Measurement-31365

来源:www.ibm.com

链接：https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-on-rails-affects-ibm-license-metric-tool-v9-cve-2019-16782/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.1303/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.0029/

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.3703/

来源:nvd.nist.gov

链接：https://nvd.nist.gov/vuln/detail/CVE-2019-16782

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/158022/Red-Hat-Security-Advisory-2020-2480-01.html

来源:www.auscert.org.au

链接：https://www.auscert.org.au/bulletins/ESB-2020.0458/

来源:packetstormsecurity.com

链接：https://packetstormsecurity.com/files/159724/Red-Hat-Security-Advisory-2020-4366-01.html

受影响实体

暂无

信息来源

http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201912-865