CVE-2020-15237 : In Shrine before version 3.3.0, when using the `derivation

In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory.

Published 2020-10-05 19:15:15

Updated 2020-10-19 13:39:43

Source GitHub, Inc.

View at NVD, CVE.org

Products affected by CVE-2020-15237

Shrinerb » Shrine » For Ruby
Versions before (<) 3.3.0
cpe:2.3:a:shrinerb:shrine:*:*:*:*:*:ruby:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2020-15237

EPSS FAQ

0.32%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 52 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2020-15237

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:P/I:N/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	NIST
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2020-15237

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: security-advisories@github.com (Primary)
CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2020-15237

https://github.com/shrinerb/shrine/security/advisories/GHSA-5jjv-x4fq-qjwp

Possible timing attack in derivation_endpoint · Advisory · shrinerb/shrine · GitHub
Third Party Advisory
https://github.com/shrinerb/shrine/commit/1b27090ce31543bf39f186c20ea47c8250fca2f0

Securely compare signature in derivation_endpoint · shrinerb/shrine@1b27090 · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2020-15237

Products affected by CVE-2020-15237

Exploit prediction scoring system (EPSS) score for CVE-2020-15237

CVSS scores for CVE-2020-15237

CWE ids for CVE-2020-15237

References for CVE-2020-15237