---
url: http://osvdb.org/show/osvdb/89939
title: |
  Rack Rack::Session::Cookie Function Timing Attack Remote Code Execution 

description: |
  Rack contains a flaw that is due to an error in the Rack::Session::Cookie
  function. Users of the Marshal session cookie encoding (the default), are
  subject to a timing attack that may lead an attacker to execute arbitrary
  code. This attack is more practical against 'cloud' users as intra-cloud
  latencies are sufficiently low to make the attack viable.

cvss_v2: 7.6

patched_versions:
  - ~> 1.1.6
  - ~> 1.2.8
  - ~> 1.3.10
  - ~> 1.4.5
  - ">= 1.5.2"