A vulnerability, which was classified as problematic, was found in Shrine up to 3.2.x. This affects the function Rack::Utils.secure_compare of the component derivation_endpoint Plugin. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-203. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory.

The weakness was released 10/04/2020. It is possible to read the advisory at github.com. This vulnerability is uniquely identified as CVE-2020-15237 since 06/25/2020. The attack needs to be done within the local network. A authentication is necessary for exploitation. Technical details of the vulnerability are known, but there is no available exploit.

Upgrading to version 3.3.0 eliminates this vulnerability. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Productinfoedit

Name

• Shrine

CPE 2.3infoedit

• 🔒
• 🔒
• 🔒

CPE 2.2infoedit

• 🔒
• 🔒
• 🔒

CVSSv3infoedit

CVSSv2infoedit

Exploitinginfoedit

Threat Intelligenceinfoedit

Countermeasuresinfoedit

Timelineinfoedit

Sourcesinfoedit

Entryinfoedit

Comments