CVE-2019-16779 Information

Feb 14, 2021 cve

Description

In RubyGem excon before 0.71.0 there was a race condition around persistent connections where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data returning content from the previous response. The race condition window appears to be short and it would be difficult to purposefully exploit this.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Reference

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00062.html https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 https://lists.debian.org/debian-lts-announce/2020/01/msg00015.html

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

NONE

Base Score

NONE

Base Severity

5.9

Share on: