免费扫描

此页面尚未翻译为您的语言。我们正在努力翻译,目前显示英文内容。

💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.

LOWCVE-2015-7576CVSS 3.7

CVE-2015-7576: Timing Attack in Ruby on Rails Actionpack

平台

ruby

组件

actionpack

修复版本

3.2.22.1

在NVD查看
保存
正在翻译为您的语言…

CVE-2015-7576 describes a timing attack vulnerability within the HTTP Basic Authentication implementation of Ruby on Rails' Action Controller. This flaw allows a remote attacker to potentially bypass authentication by analyzing the time taken to verify credentials. The vulnerability affects versions of Actionpack up to and including 3.2.9.rc3, with a fix available in version 3.2.22.1.

Ruby

检测此 CVE 是否影响你的项目

上传你的 Gemfile.lock 文件,立即知道是否受影响。

上传 Gemfile.lock支持的格式: Gemfile.lock · Gemfile

影响与攻击场景翻译中…

The primary impact of CVE-2015-7576 is the potential for unauthorized access to protected resources within a Ruby on Rails application. An attacker can exploit this timing vulnerability to deduce valid credentials by repeatedly attempting authentication and measuring the response times. While the CVSS score is LOW, successful exploitation could lead to complete compromise of the application and its data, particularly if sensitive information is accessible via Basic Authentication. This vulnerability shares similarities with other timing attacks targeting authentication mechanisms, highlighting the importance of constant-time algorithms in security-critical code.

利用背景翻译中…

CVE-2015-7576 was published in 2017. There is no indication of active exploitation campaigns targeting this vulnerability. No public Proof-of-Concept (POC) exploits have been widely reported. The EPSS score is likely low, reflecting the difficulty and specialized knowledge required to successfully exploit this timing attack.

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露
NextGuard10–15% 仍然脆弱

EPSS

1.57% (81% 百分位)

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N3.7LOWAttack VectorNetwork攻击者如何到达目标Attack ComplexityHigh利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionNone是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityLow敏感数据泄露风险IntegrityNone数据未授权篡改风险AvailabilityNone服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
高 — 需要竞态条件、非默认配置或特定情况。难以可靠利用。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
无 — 攻击自动且无声,受害者无需任何操作。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
低 — 可访问部分数据。
Integrity
无 — 无完整性影响。
Availability
无 — 无可用性影响。

受影响的软件

组件actionpack
供应商osv
最高版本3.2.9.rc3
修复版本3.2.22.1

时间线

  1. 发布日期
  2. 修改日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The recommended mitigation for CVE-2015-7576 is to upgrade to Ruby on Rails version 3.2.22.1 or later. If upgrading is not immediately feasible, consider disabling HTTP Basic Authentication entirely and implementing a more robust authentication mechanism. As a temporary workaround, implement rate limiting on authentication attempts to make timing attacks more difficult. Review your application's authentication logic to ensure it adheres to constant-time principles. After upgrading, confirm the fix by attempting a timing attack against the authentication endpoint and verifying that response times remain consistent regardless of the provided credentials.

修复方法翻译中…

暂无官方补丁。请查找临时解决方案或持续关注更新。

常见问题翻译中…

What is CVE-2015-7576 — Timing Attack in Ruby on Rails Actionpack?

CVE-2015-7576 is a vulnerability in Ruby on Rails Actionpack that allows attackers to bypass HTTP Basic Authentication by measuring timing differences during credential verification.

Am I affected by CVE-2015-7576 in Ruby on Rails Actionpack?

You are affected if your Ruby on Rails application uses Actionpack and is running a version prior to 3.2.22.1. Check your version using bundle -v.

How do I fix CVE-2015-7576 in Ruby on Rails Actionpack?

Upgrade your Ruby on Rails application to version 3.2.22.1 or later. Consider disabling Basic Authentication if upgrading is not immediately possible.

Is CVE-2015-7576 being actively exploited?

There is no public evidence of active exploitation campaigns targeting CVE-2015-7576, but the potential for exploitation remains.

Where can I find the official Ruby on Rails advisory for CVE-2015-7576?

Refer to the official Ruby on Rails security advisories: https://github.com/rails/rails/security/advisories

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE
Ruby

检测此 CVE 是否影响你的项目

上传你的 Gemfile.lock 文件,立即知道是否受影响。

上传 Gemfile.lock支持的格式: Gemfile.lock · Gemfile
live免费扫描

立即扫描您的Ruby项目 — 无需账户

Upload your Gemfile.lock and get the vulnerability report instantly. No account. Uploading the file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.

手动扫描Slack/邮件提醒持续监控白标报告

拖放您的依赖文件

composer.lock、package-lock.json、requirements.txt、Gemfile.lock、pubspec.lock、Dockerfile...