CVE-2019-16779
5.8
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
Summary
In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| excon | excon | < 0.71.0 < 0.71.0 | affected |
Weaknesses
- CWE-664: CWE-664 Improper Control of a Resource Through its Lifetime
Workarounds
Users can workaround the problem by disabling persistent connections, though this may cause performance implications.
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9
- https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00021.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00062.html
References
- https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9
- https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00021.html
- https://lists.debian.org/debian-lts-announce/2020/01/msg00015.html
- http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00062.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.