Ruby

Ruby

By DeepSource

Rails version vulnerable to timing attack in basic auth detected RB-A1006

Security

Selected versions of Rails till version 4.2.5 are susceptible to timing attack in basic auth. Upgrading to newer versions of Rails can help fix this issue.

The vulnerable versions do not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.

References

  1. CVE-2015-7576 - Rails Security Group
  2. CVE-2015-7576 - GitHub Advisory Database
  3. OWASP Top 10 - A2 - Broken Authentication
  4. OWASP Top 10 - A9 - Using Components With Known Vulnerabilities