5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15237

GHSA ID

GHSA-5jjv-x4fq-qjwp

EPSS Score

0.54157%

CWE

CWE-203

Published

10/5/2020

Updated

5/16/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-15237

CVE-2020-15237: Possible timing attack in derivation_endpoint

Impact

When using the derivation_endpoint plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL.

Patches

The problem has been fixed by comparing sent and calculated signature in constant time, using Rack::Utils.secure_compare. Users using the derivation_endpoint plugin are urged to upgrade to Shrine 3.3.0 or greater.

Workarounds

Users of older Shrine versions can apply the following monkey-patch after loading the derivation_endpoint plugin:

class Shrine
  class UrlSigner
    def verify_signature(string, signature)
      if signature.nil?
        fail InvalidSignature, "missing \"signature\" param"
      elsif !Rack::Utils.secure_compare(signature, generate_signature(string))
        fail InvalidSignature, "provided signature does not match the calculated signature"
      end
    end
  end
end

References

You can read more about timing attacks here.

(GitHub Advisory)

5.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-15237

GHSA ID

GHSA-5jjv-x4fq-qjwp

EPSS Score

0.54157%

CWE

CWE-203

Published

10/5/2020

Updated

5/16/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
shrine	rubygems	< 3.3.0	3.3.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insecure string comparison in signature verification. The original implementation used 'signature != generate_signature(string)' which performs a variable-time comparison. This was replaced with Rack::Utils.secure_compare in the patch, confirming this function as the vulnerable point. The commit diff, CWE-208 (Timing Discrepancy), and advisory all directly reference this function as the attack surface.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n usin* t** `**riv*tion_*n*point` plu*in, it's possi*l* *or t** *tt**k*r to us* * timin* *tt**k to *u*ss t** si*n*tur* o* t** **riv*tion URL. ### P*t***s T** pro*l*m **s ***n *ix** *y *omp*rin* s*nt *n* **l*ul*t** si*n*tur* in *onst*

Reasoning

T** vuln*r**ility st*mm** *rom ins**ur* strin* *omp*rison in si*n*tur* v*ri*i**tion. T** ori*in*l impl*m*nt*tion us** 'si*n*tur* != **n*r*t*_si*n*tur*(strin*)' w*i** p*r*orms * v*ri**l*-tim* *omp*rison. T*is w*s r*pl**** wit* R**k::Utils.s**ur*_*omp*

5.9

Basic Information

Concerned about an active attack path?

CVE-2020-15237: Possible timing attack in derivation_endpoint

Impact

Patches

Workarounds

References

5.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI