CVE-2020-15237: Possible timing attack in derivation_endpoint
5.9
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54157%
CWE
Published
10/5/2020
Updated
5/16/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
shrine | rubygems | < 3.3.0 | 3.3.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from insecure string comparison in signature verification. The original implementation used 'signature != generate_signature(string)' which performs a variable-time comparison. This was replaced with Rack::Utils.secure_compare in the patch, confirming this function as the vulnerable point. The commit diff, CWE-208 (Timing Discrepancy), and advisory all directly reference this function as the attack surface.