ID

VAR-201912-1836


CVE

CVE-2019-16779


TITLE

RubyGem excon Input validation vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2019-013777

DESCRIPTION

In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this. RubyGem excon Contains an input validation vulnerability.Information may be obtained. RubyGem excon is an HTTP server for Ruby applications. There are security vulnerabilities in RubyGem excon versions prior to 0.71.0. An attacker could use this vulnerability to leak information

Trust: 2.16

sources: NVD: CVE-2019-16779 // JVNDB: JVNDB-2019-013777 // CNVD: CNVD-2020-03728

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2020-03728

AFFECTED PRODUCTS

vendor:exconmodel:exconscope:ltversion:0.71.0

Trust: 1.8

vendor:debianmodel:linuxscope:eqversion:8.0

Trust: 1.0

vendor:opensusemodel:leapscope:eqversion:15.1

Trust: 1.0

vendor:opensusemodel:backports slescope:eqversion:15.0

Trust: 1.0

vendor:rubygemsmodel:rubygem exconscope:ltversion:0.71.0

Trust: 0.6

sources: CNVD: CNVD-2020-03728 // JVNDB: JVNDB-2019-013777 // NVD: CVE-2019-16779

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2019-16779
value: MEDIUM

Trust: 1.0

security-advisories@github.com: CVE-2019-16779
value: MEDIUM

Trust: 1.0

NVD: CVE-2019-16779
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2020-03728
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201912-732
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2019-16779
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2020-03728
severity: MEDIUM
baseScore: 5.4
vectorString: AV:N/AC:H/AU:N/C:C/I:N/A:N
accessVector: NETWORK
accessComplexity: HIGH
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 4.9
impactScore: 6.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

nvd@nist.gov: CVE-2019-16779
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 2.2
impactScore: 3.6
version: 3.1

Trust: 1.0

security-advisories@github.com: CVE-2019-16779
baseSeverity: MEDIUM
baseScore: 5.8
vectorString: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: LOW
userInteraction: REQUIRED
scope: CHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 1.3
impactScore: 4.0
version: 3.1

Trust: 1.0

NVD: CVE-2019-16779
baseSeverity: MEDIUM
baseScore: 5.9
vectorString: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: HIGH
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: CNVD: CNVD-2020-03728 // JVNDB: JVNDB-2019-013777 // CNNVD: CNNVD-201912-732 // NVD: CVE-2019-16779 // NVD: CVE-2019-16779

PROBLEMTYPE DATA

problemtype:CWE-362

Trust: 1.0

problemtype:CWE-664

Trust: 1.0

problemtype:CWE-20

Trust: 0.8

sources: JVNDB: JVNDB-2019-013777 // NVD: CVE-2019-16779

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201912-732

TYPE

competition condition problem

Trust: 0.6

sources: CNNVD: CNNVD-201912-732

CONFIGURATIONS

[
  {
    "CVE_data_version": "4.0",
    "nodes": [
      {
        "operator": "OR",
        "cpe_match": [
          {
            "vulnerable": true,
            "cpe22Uri": "cpe:/a:excon_project:excon"
          }
        ]
      }
    ]
  }
]

sources: JVNDB: JVNDB-2019-013777

PATCH

title:fix for leftover data with interrupted persistent connectionsurl:https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29

Trust: 0.8

title:Interrupted Persistent Connections May Leak Response Dataurl:https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9

Trust: 0.8

title:Patch for RubyGem excon input validation error vulnerabilityurl:https://www.cnvd.org.cn/patchInfo/show/199023

Trust: 0.6

title:RubyGem excon Enter the fix for the verification error vulnerabilityurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=106097

Trust: 0.6

sources: CNVD: CNVD-2020-03728 // JVNDB: JVNDB-2019-013777 // CNNVD: CNNVD-201912-732

EXTERNAL IDS

db:NVDid:CVE-2019-16779

Trust: 3.0

db:JVNDBid:JVNDB-2019-013777

Trust: 0.8

db:CNVDid:CNVD-2020-03728

Trust: 0.6

db:AUSCERTid:ESB-2020.0376

Trust: 0.6

db:AUSCERTid:ESB-2020.0202

Trust: 0.6

db:AUSCERTid:ESB-2020.2563

Trust: 0.6

db:CNNVDid:CNNVD-201912-732

Trust: 0.6

sources: CNVD: CNVD-2020-03728 // JVNDB: JVNDB-2019-013777 // CNNVD: CNNVD-201912-732 // NVD: CVE-2019-16779

REFERENCES

url:https://github.com/excon/excon/security/advisories/ghsa-q58g-455p-8vw9

Trust: 2.2

url:https://lists.debian.org/debian-lts-announce/2020/01/msg00015.html

Trust: 2.2

url:https://nvd.nist.gov/vuln/detail/cve-2019-16779

Trust: 2.0

url:https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29

Trust: 1.6

url:http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00021.html

Trust: 1.6

url:http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00062.html

Trust: 1.6

url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2019-16779

Trust: 0.8

url:https://about.gitlab.com/releases/2020/01/30/security-release-gitlab-12-7-4-released/

Trust: 0.6

url:https://vigilance.fr/vulnerability/rubygem-excon-information-disclosure-via-persistent-connection-sockets-31312

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0376/

Trust: 0.6

url:https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ruby-on-rails-affects-ibm-license-metric-tool-v9-cve-2019-16779/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.2563/

Trust: 0.6

url:https://www.auscert.org.au/bulletins/esb-2020.0202/

Trust: 0.6

sources: CNVD: CNVD-2020-03728 // JVNDB: JVNDB-2019-013777 // CNNVD: CNNVD-201912-732 // NVD: CVE-2019-16779

SOURCES

db:CNVDid:CNVD-2020-03728
db:JVNDBid:JVNDB-2019-013777
db:CNNVDid:CNNVD-201912-732
db:NVDid:CVE-2019-16779

LAST UPDATE DATE

2024-11-23T21:36:15.215000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2020-03728date:2020-02-05T00:00:00
db:JVNDBid:JVNDB-2019-013777date:2020-01-16T00:00:00
db:CNNVDid:CNNVD-201912-732date:2021-10-29T00:00:00
db:NVDid:CVE-2019-16779date:2024-11-21T04:31:10.503

SOURCES RELEASE DATE

db:CNVDid:CNVD-2020-03728date:2020-02-05T00:00:00
db:JVNDBid:JVNDB-2019-013777date:2020-01-16T00:00:00
db:CNNVDid:CNNVD-201912-732date:2019-12-16T00:00:00
db:NVDid:CVE-2019-16779date:2019-12-16T20:15:15.540