{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2016-01-25T00:00:00", "descriptions": [{"lang": "en", "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-09-09T09:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"}, {"name": "FEDORA-2016-3ede04cd79", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"}, {"name": "openSUSE-SU-2016:0372", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"name": "openSUSE-SU-2016:0363", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"name": "FEDORA-2016-94e71ee673", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"}, {"name": "81803", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/81803"}, {"name": "FEDORA-2016-f486068393", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "1034816", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1034816"}, {"name": "DSA-3464", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "RHSA-2016:0296", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"name": "FEDORA-2016-cb30088b06", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"}, {"name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-7576", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"}, {"name": "FEDORA-2016-3ede04cd79", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"}, {"name": "openSUSE-SU-2016:0372", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"name": "openSUSE-SU-2016:0363", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"name": "FEDORA-2016-94e71ee673", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"}, {"name": "81803", "refsource": "BID", "url": "http://www.securityfocus.com/bid/81803"}, {"name": "FEDORA-2016-f486068393", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"}, {"name": "SUSE-SU-2016:1146", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "1034816", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1034816"}, {"name": "DSA-3464", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "RHSA-2016:0296", "refsource": "REDHAT", "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"name": "FEDORA-2016-cb30088b06", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"}, {"name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T07:51:28.554Z"}, "title": "CVE Program Container", "references": [{"name": "[oss-security] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"}, {"name": "FEDORA-2016-3ede04cd79", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"}, {"name": "openSUSE-SU-2016:0372", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"name": "openSUSE-SU-2016:0363", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"name": "FEDORA-2016-94e71ee673", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"}, {"name": "81803", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/81803"}, {"name": "FEDORA-2016-f486068393", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"}, {"name": "SUSE-SU-2016:1146", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"name": "1034816", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1034816"}, {"name": "DSA-3464", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2016/dsa-3464"}, {"name": "RHSA-2016:0296", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"name": "FEDORA-2016-cb30088b06", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"}, {"name": "[ruby-security-ann] 20160125 [CVE-2015-7576] Timing attack vulnerability in basic authentication in Action Controller.", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-7576", "datePublished": "2016-02-16T02:00:00", "dateReserved": "2015-09-29T00:00:00", "dateUpdated": "2024-08-06T07:51:28.554Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "2E950E33-CD03-45F5-83F9-F106060B4A8B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*", "matchCriteriaId": "547C62C8-4B3E-431B-AA73-5C42ED884671", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4CDAD329-35F7-4C82-8019-A0CF6D069059", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56D3858B-0FEE-4E8D-83C2-68AF0431F478", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*", "matchCriteriaId": "254884EE-EBA4-45D0-9704-B5CB22569668", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "35FC7015-267C-403B-A23D-EDA6223D2104", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "5C913A56-959D-44F1-BD89-D246C66D1F09", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "5D5BA926-38EE-47BE-9D16-FDCF360A503B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "18EA25F1-279A-4F1A-883D-C064369F592E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "FD794856-6F30-4ABF-8AE4-720BB75E6F89", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "B4199B8B-A6F9-4BFD-8D27-0E663D8C579D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "F11E76A3-FA5B-4038-AB52-3D7D5E54D8A2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "C583ACDE-55D5-4D2F-838F-BEC5BDCDE3B7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "767C481D-6616-4CA9-9A9B-C994D9121796", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*", "matchCriteriaId": "D5496953-0C5E-45F8-A7FB-240CEC2CCEB8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "CA46B621-125E-497F-B2DE-91C989B25936", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B3239443-2E19-4540-BA0C-05A27E44CB6C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*", "matchCriteriaId": "104AC9CF-6611-4469-9852-7FDAF4EC7638", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*", "matchCriteriaId": "DC9E1864-B1E5-42C3-B4AF-9A002916B66D", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*", "matchCriteriaId": "31AC91AA-6A9A-43B4-B3E9-A66A34B6E612", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*", "matchCriteriaId": "A462C151-982E-4A83-A376-025015F40645", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*", "matchCriteriaId": "660C2AD2-CEC8-4391-84AF-27515A88B29E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "578CC013-776B-4868-B448-B7ACAF3AF832", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "C310EA3E-399A-48FD-8DE9-6950E328CF23", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "293B2998-5169-4960-BEC4-21DAC837E32B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "FB42A8E7-D273-4CE2-9182-D831D8089BFA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "DB757DFD-BF47-4483-A2C0-DF37F7D10989", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "B6C375F2-5027-4B55-9112-C5DD2F787E43", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*", "matchCriteriaId": "EAB8D57F-9849-428C-B8E9-D0A1020728BB", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*", "matchCriteriaId": "B0359DA8-6B41-46C5-AA95-41B1B366DD4A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*", "matchCriteriaId": "0965BDB6-9644-465C-AA32-9278B2D53197", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*", "matchCriteriaId": "7F6B15CF-37C1-4C9B-8457-4A8C9A480188", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*", "matchCriteriaId": "072EB16D-1325-4869-B156-65E786A834C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*", "matchCriteriaId": "847B3C3D-8656-404D-A954-09C159EDC8E2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*", "matchCriteriaId": "65CA2D50-B33C-4088-BDDF-EB964C9A092C", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*", "matchCriteriaId": "CADB5989-5260-4F60-ACF2-BEB6D7F97654", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:*:*:*:*:*:*:*", "matchCriteriaId": "9036E3C7-0AD5-489D-BCEE-31DFE13F5ADA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*", "matchCriteriaId": "509597D0-22E1-4BE8-95AD-C54FE4D15FA4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.6:rc2:*:*:*:*:*:*", "matchCriteriaId": "B86E26CB-2376-4EBC-913C-B354E2D6711B", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*", "matchCriteriaId": "539C550D-FEDD-415E-95AE-40E1AE2BAF1A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "D5150753-E86D-4859-A046-97B83EAE2C14", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*", "matchCriteriaId": "59C5B869-74FC-4051-A103-A721332B3CF2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*", "matchCriteriaId": "7C31EBD2-CD2D-4D38-AA51-A5A56487939A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.9:rc1:*:*:*:*:*:*", "matchCriteriaId": "F11E9791-7BCE-43E5-A4BA-6449623FE4F9", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*", "matchCriteriaId": "33FBD4E4-0BCD-49E1-BA84-86621B7C4556", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc1:*:*:*:*:*:*", "matchCriteriaId": "CE521626-2876-455C-9D99-DB74726DC724", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "2DFDD32E-F49E-47F7-B033-B6C3C0E07FC4", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc3:*:*:*:*:*:*", "matchCriteriaId": "DCBA26F1-FBBA-444D-9C14-F15AB14A4FC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.10:rc4:*:*:*:*:*:*", "matchCriteriaId": "16D3B0EA-49F7-401A-A1D9-437429D33EAD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*", "matchCriteriaId": "83D1EB17-EE67-48E5-B637-AA9A75D397F6", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.12:rc1:*:*:*:*:*:*", "matchCriteriaId": "17EBD8B4-C4D3-44A6-9DC1-89D948F126A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*", "matchCriteriaId": "A2B1711A-5541-412C-A5A0-274CEAB9E387", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "FCB08CD7-E9B9-454F-BAF7-96162D177677", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:*:*:*:*:*:*:*", "matchCriteriaId": "C3AF00C3-93D9-4284-BCB9-40E42CB8386E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc1:*:*:*:*:*:*", "matchCriteriaId": "0D3DA0B4-E374-4ED4-8C3B-F723C968666F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.1.14:rc2:*:*:*:*:*:*", "matchCriteriaId": "B1730A9A-6810-4470-AE6C-A5356D5BFF43", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "9A68D41F-36A9-4B77-814D-996F4E48FA79", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "709A19A5-8FD1-4F9C-A38C-F06242A94D68", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "8104482C-E8F5-40A7-8B27-234FEF725FD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "2CFF8677-EA00-4F7E-BFF9-272482206DB5", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "8D7DF5CD-DA28-492D-B5EE-D252ECCC8D96", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "85435026-9855-4BF4-A436-832628B005FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*", "matchCriteriaId": "56C2308F-A590-47B0-9791-7865D189196F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*", "matchCriteriaId": "9A266882-DABA-4A4C-88E6-60E993EE0947", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "83F1142C-3BFB-4B72-A033-81E20DB19D02", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*", "matchCriteriaId": "1FA738A1-227B-4665-B65E-666883FFAE96", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "6F00718C-A9E8-4E85-8DA6-33BF11F2DCCE", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*", "matchCriteriaId": "10789A2D-6401-4119-BFBE-2EE4C16216D3", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*", "matchCriteriaId": "70ABD462-7142-4831-8EB6-801EC1D05573", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*", "matchCriteriaId": "81D717DB-7C80-48AA-A774-E291D2E75D6E", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*", "matchCriteriaId": "06B357FB-0307-4EFA-9C5B-3C2CDEA48584", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*", "matchCriteriaId": "E4BD8840-0F1C-49D3-B843-9CFE64948018", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*", "matchCriteriaId": "79D5B492-43F9-470F-BD21-6EFD93E78453", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*", "matchCriteriaId": "4EC1F602-D48C-458A-A063-4050BE3BB25F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*", "matchCriteriaId": "F6A1C015-56AD-489C-B301-68CF1DBF1BEF", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*", "matchCriteriaId": "FD191625-ACE2-46B6-9AAD-12D682C732C2", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*", "matchCriteriaId": "02C7DB56-267B-4057-A9BA-36D1E58C6282", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "AF8F94CF-D504-4165-A69E-3F1198CB162A", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "4C068362-0D49-4117-BC96-780AA802CE4E", "versionEndIncluding": "3.2.22", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*", "matchCriteriaId": "9C8E749B-2908-442A-99F0-91E2772336ED", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "9E43D2D7-89AE-4805-9732-F1C601D8D8B8", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*", "matchCriteriaId": "5F3D8911-060D-435D-ACA2-E29271170CAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*", "matchCriteriaId": "EA7A4939-16CF-450D-846A-75B231E32D61", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*", "matchCriteriaId": "C964D4A2-3F39-4CC7-A028-B42C94DDB56F", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*", "matchCriteriaId": "3B54D9FE-0A38-4053-9F3C-8831E2DD2BF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*", "matchCriteriaId": "23FD6D82-9A14-4BD4-AA00-1875F0962ACE", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences."}, {"lang": "es", "value": "El m\u00e9todo http_basic_authenticate_with en actionpack/lib/action_controller/metal/http_authentication.rb en la implementaci\u00f3n Basic Authentication en Action Controller en Ruby on Rails en versiones anteriores a 3.2.22.1, 4.0.x y 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 no usa el algoritmo de tiempo constante para verificar credenciales, lo que hace que sea m\u00e1s f\u00e1cil para atacantes remotos eludir la autenticaci\u00f3n mediante la medici\u00f3n de las diferencias de temporizaci\u00f3n."}], "id": "CVE-2015-7576", "lastModified": "2024-11-21T02:37:00.807", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2016-02-16T02:59:00.110", "references": [{"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"}, {"source": "secalert@redhat.com", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"source": "secalert@redhat.com", "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"source": "secalert@redhat.com", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"source": "secalert@redhat.com", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/81803"}, {"source": "secalert@redhat.com", "url": "http://www.securitytracker.com/id/1034816"}, {"source": "secalert@redhat.com", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178068.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00034.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.debian.org/security/2016/dsa-3464"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2016/01/25/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/81803"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securitytracker.com/id/1034816"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/ANv0HDHEC3k/T8Hgq-hYEgAJ"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-254"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Ruby on Rails project for reporting this issue. Upstream acknowledges Daniel Waterworth as the original reporter.", "affected_release": [{"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionpack-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-actionview-0:4.1.5-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activemodel-0:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activerecord-1:4.1.5-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0296", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-ror41-rubygem-activesupport-1:4.1.5-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-02-24T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-actionpack-1:4.0.2-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activerecord-1:4.0.2-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0454", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ror40-rubygem-activesupport-1:4.0.2-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-actionpack-1:3.2.8-16.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activerecord-1:3.2.8-11.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}, {"advisory": "RHSA-2016:0455", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "ruby193-rubygem-activesupport-1:3.2.8-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date": "2016-03-15T00:00:00Z"}], "bugzilla": {"description": "rubygem-actionpack: Timing attack vulnerability in basic authentication in Action Controller", "id": "1301933", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1301933"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-385", "details": ["The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.", "A flaw was found in the way the Action Controller component compared user names and passwords when performing HTTP basic authentication. Time taken to compare strings could differ depending on input, possibly allowing a remote attacker to determine valid user names and passwords using a timing attack."], "mitigation": {"lang": "en:us", "value": "Use following code to monkey-patch http_basic_authenticate_with method in ActionController:\n~~~\nmodule ActiveSupport\nmodule SecurityUtils\ndef secure_compare(a, b)\nreturn false unless a.bytesize == b.bytesize\nl = a.unpack \"C#{a.bytesize}\"\nres = 0\nb.each_byte { |byte| res |= byte ^ l.shift }\nres == 0\nend\nmodule_function :secure_compare\ndef variable_size_secure_compare(a, b)\nsecure_compare(::Digest::SHA256.hexdigest(a), ::Digest::SHA256.hexdigest(b))\nend\nmodule_function :variable_size_secure_compare\nend\nend\nmodule ActionController\nclass Base\ndef self.http_basic_authenticate_with(options = {})\nbefore_action(options.except(:name, :password, :realm)) do\nauthenticate_or_request_with_http_basic(options[:realm] || \"Application\") do |name, password|\n# This comparison uses & so that it doesn't short circuit and\n# uses `variable_size_secure_compare` so that length information\n# isn't leaked.\nActiveSupport::SecurityUtils.variable_size_secure_compare(name, options[:name]) &\nActiveSupport::SecurityUtils.variable_size_secure_compare(password, options[:password])\nend\nend\nend\nend\nend\n~~~"}, "name": "CVE-2015-7576", "package_state": [{"cpe": "cpe:/a:cloudforms_managementengine:5.2", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionpack", "product_name": "CloudForms Management Engine 5.2"}, {"cpe": "cpe:/a:cloudforms_managementengine:5.3", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionpack", "product_name": "CloudForms Management Engine 5.3"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionpack", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "rubygem-actionpack", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2016-01-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-7576\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-7576\nhttp://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/\nhttps://groups.google.com/forum/#!msg/rubyonrails-security/ANv0HDHEC3k/mt7wNGxbFQAJ"], "threat_severity": "Low", "upstream_fix": "rubygem-rails 5.0.0.beta1.1, rubygem-rails 4.2.5.1, rubygem-rails 4.1.14.1, rubygem-rails 3.2.22.1"}