shrine 2.6.0
Possible timing attack in derivation_endpoint
medium severity CVE-2020-15237>= 3.3.0
Impact
When using the derivation_endpoint
plugin, it's possible for the attacker to use a timing attack
to guess the signature of the derivation URL.
Patches
The problem has been fixed by comparing sent and calculated signature in constant time, using
Rack::Utils.secure_compare
. Users using the derivation_endpoint
plugin are urged to upgrade
to Shrine 3.3.0 or greater.
Workarounds
Users of older Shrine versions can apply the following monkey-patch after loading the derivation_endpoint
plugin:
class Shrine
class UrlSigner
def verify_signature(string, signature)
if signature.nil?
fail InvalidSignature, "missing \"signature\" param"
elsif !Rack::Utils.secure_compare(signature, generate_signature(string))
fail InvalidSignature, "provided signature does not match the calculated signature"
end
end
end
end
References
You can read more about timing attacks here.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.