GHSA-5jjv-x4fq-qjwp
Vulnerability from github
Impact
When using the derivation_endpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL.
Patches
The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.secure_compare. Users using the derivation_endpoint plugin are urged to upgrade to Shrine 3.3.0 or greater.
Workarounds
Users of older Shrine versions can apply the following monkey-patch after loading the derivation_endpoint plugin:
rb
class Shrine
class UrlSigner
def verify_signature(string, signature)
if signature.nil?
fail InvalidSignature, "missing \"signature\" param"
elsif !Rack::Utils.secure_compare(signature, generate_signature(string))
fail InvalidSignature, "provided signature does not match the calculated signature"
end
end
end
end
References
You can read more about timing attacks here.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "shrine"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-15237"
],
"database_specific": {
"cwe_ids": [
"CWE-203",
"CWE-208"
],
"github_reviewed": true,
"github_reviewed_at": "2020-10-05T15:46:53Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\nWhen using the `derivation_endpoint` plugin, it\u0027s possible for the attacker to use a timing attack to guess the signature of the derivation URL.\n\n### Patches\n\nThe problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater.\n\n### Workarounds\n\nUsers of older Shrine versions can apply the following monkey-patch after loading the `derivation_endpoint` plugin:\n\n```rb\nclass Shrine\n class UrlSigner\n def verify_signature(string, signature)\n if signature.nil?\n fail InvalidSignature, \"missing \\\"signature\\\" param\"\n elsif !Rack::Utils.secure_compare(signature, generate_signature(string))\n fail InvalidSignature, \"provided signature does not match the calculated signature\"\n end\n end\n end\nend\n```\n\n### References\n\nYou can read more about timing attacks [here](https://en.wikipedia.org/wiki/Timing_attack).",
"id": "GHSA-5jjv-x4fq-qjwp",
"modified": "2023-05-16T16:18:49Z",
"published": "2020-10-05T15:48:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/shrinerb/shrine/security/advisories/GHSA-5jjv-x4fq-qjwp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-15237"
},
{
"type": "WEB",
"url": "https://github.com/shrinerb/shrine/commit/1b27090ce31543bf39f186c20ea47c8250fca2f0"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/shrine/CVE-2020-15237.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/shrinerb/shrine"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Possible timing attack in derivation_endpoint"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.