CVE-2013-0263 (Rack Timing Attack)

  • Posted February 13, 2013

  • This vulnerability affects Rack, a middleware component of Puppet Enterprise used by the master and console roles. Specifically, it affects Rack::Session::Cookie. The vulnerability could allow remote attackers to guess the session cookie. This could let them gain privileges and then execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.


    • Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1