CVE-2013-0263 (Rack Timing Attack)

  • Posted February 13, 2013

    • This vulnerability affects Rack, a middleware component of Puppet Enterprise used by the master and console roles. Specifically, it affects Rack::Session::Cookie. The vulnerability could allow remote attackers to guess the session cookie. This could let them gain privileges and then execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

    Status

    • Hotfixes available for Puppet Enterprise 1.2.6 and 2.7.1

    Hotfixes

    Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.