CVE-2015-7576 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2015-7576 Interim 1 18 2024-10-12T02:01:11Z current 2021-05-30T13:33:59Z 2024-10-12T02:01:11Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2015-7576 The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2016-February/001876.html E-Mail link for SUSE-SU-2016:0435-1 https://lists.suse.com/pipermail/sle-security-updates/2016-February/001879.html E-Mail link for SUSE-SU-2016:0457-1 https://lists.suse.com/pipermail/sle-security-updates/2016-February/001899.html E-Mail link for SUSE-SU-2016:0600-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001901.html E-Mail link for SUSE-SU-2016:0618-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001906.html E-Mail link for SUSE-SU-2016:0623-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001963.html E-Mail link for SUSE-SU-2016:0857-1 https://lists.suse.com/pipermail/sle-security-updates/2016-March/001964.html E-Mail link for SUSE-SU-2016:0858-1 https://lists.suse.com/pipermail/sle-security-updates/2016-April/001989.html E-Mail link for SUSE-SU-2016:0968-1 https://lists.suse.com/pipermail/sle-security-updates/2016-April/002027.html E-Mail link for SUSE-SU-2016:1146-1 https://lists.suse.com/pipermail/sle-security-updates/2017-February/002650.html E-Mail link for SUSE-SU-2017:0475-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Enterprise Storage 2.1 SUSE Lifecycle Management Server 1.3 SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Software Development Kit 11 SP3 SUSE Linux Enterprise Software Development Kit 11 SP4 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE Linux Enterprise Module for Containers 12 SUSE OpenStack Cloud 5 SUSE OpenStack Cloud 6 SUSE OpenStack Cloud 7 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 SUSE Studio Onsite 1.3 SUSE Studio Onsite Runner 1.3 SUSE WebYast 1.3 libcontainment-insomnia-0.1.1-0.9.4.19 libjansson4-2.2.1-0.9.11.6 portus portus-2.0.3-2.4 qemu-ext2-0.1.1-0.9.4.19 ruby2.1-rubygem-actionmailer-4_2 ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 ruby2.1-rubygem-actionpack-4_2-4.2.2-6.1 ruby2.1-rubygem-activesupport-4_1-4.1.9-15.1 ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1 rubygem-actionmailer-4_2 rubygem-actionpack-3_2-3.2.12-0.23.1 rubygem-activesupport-3_2-3.2.12-0.18.1 rubygem-activesupport-3_2-3.2.12-0.21.1 rubygem-bundler19-1.7.0-0.13.10 studio-help-1.3.20-0.6.9 susestudio-1.3.14-52.1 susestudio-bundled-packages-1.3.14-52.1 susestudio-common-1.3.14-52.1 susestudio-runner-1.3.14-52.1 susestudio-sid-1.3.14-52.1 susestudio-ui-server-1.3.14-52.1 ruby2.1-rubygem-actionpack-4_2-4.2.2-6.1 as a component of SUSE Enterprise Storage 2.1 ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1 as a component of SUSE Enterprise Storage 2.1 rubygem-actionpack-3_2-3.2.12-0.23.1 as a component of SUSE Lifecycle Management Server 1.3 rubygem-activesupport-3_2-3.2.12-0.21.1 as a component of SUSE Lifecycle Management Server 1.3 portus-2.0.3-2.4 as a component of SUSE Linux Enterprise Module for Containers 12 rubygem-activesupport-3_2-3.2.12-0.18.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP3 rubygem-actionpack-3_2-3.2.12-0.23.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 rubygem-activesupport-3_2-3.2.12-0.21.1 as a component of SUSE Linux Enterprise Software Development Kit 11 SP4 ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 as a component of SUSE OpenStack Cloud 5 ruby2.1-rubygem-activesupport-4_1-4.1.9-15.1 as a component of SUSE OpenStack Cloud 5 ruby2.1-rubygem-actionpack-4_2-4.2.2-6.1 as a component of SUSE OpenStack Cloud 6 ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1 as a component of SUSE OpenStack Cloud 6 libcontainment-insomnia-0.1.1-0.9.4.19 as a component of SUSE Studio Onsite 1.3 libjansson4-2.2.1-0.9.11.6 as a component of SUSE Studio Onsite 1.3 qemu-ext2-0.1.1-0.9.4.19 as a component of SUSE Studio Onsite 1.3 rubygem-actionpack-3_2-3.2.12-0.23.1 as a component of SUSE Studio Onsite 1.3 rubygem-activesupport-3_2-3.2.12-0.21.1 as a component of SUSE Studio Onsite 1.3 rubygem-bundler19-1.7.0-0.13.10 as a component of SUSE Studio Onsite 1.3 studio-help-1.3.20-0.6.9 as a component of SUSE Studio Onsite 1.3 susestudio-1.3.14-52.1 as a component of SUSE Studio Onsite 1.3 susestudio-bundled-packages-1.3.14-52.1 as a component of SUSE Studio Onsite 1.3 susestudio-common-1.3.14-52.1 as a component of SUSE Studio Onsite 1.3 susestudio-runner-1.3.14-52.1 as a component of SUSE Studio Onsite 1.3 susestudio-sid-1.3.14-52.1 as a component of SUSE Studio Onsite 1.3 susestudio-ui-server-1.3.14-52.1 as a component of SUSE Studio Onsite 1.3 libcontainment-insomnia-0.1.1-0.9.4.19 as a component of SUSE Studio Onsite Runner 1.3 libjansson4-2.2.1-0.9.11.6 as a component of SUSE Studio Onsite Runner 1.3 qemu-ext2-0.1.1-0.9.4.19 as a component of SUSE Studio Onsite Runner 1.3 rubygem-bundler19-1.7.0-0.13.10 as a component of SUSE Studio Onsite Runner 1.3 studio-help-1.3.20-0.6.9 as a component of SUSE Studio Onsite Runner 1.3 susestudio-1.3.14-52.1 as a component of SUSE Studio Onsite Runner 1.3 susestudio-bundled-packages-1.3.14-52.1 as a component of SUSE Studio Onsite Runner 1.3 susestudio-common-1.3.14-52.1 as a component of SUSE Studio Onsite Runner 1.3 susestudio-runner-1.3.14-52.1 as a component of SUSE Studio Onsite Runner 1.3 susestudio-sid-1.3.14-52.1 as a component of SUSE Studio Onsite Runner 1.3 susestudio-ui-server-1.3.14-52.1 as a component of SUSE Studio Onsite Runner 1.3 rubygem-actionpack-3_2-3.2.12-0.23.1 as a component of SUSE WebYast 1.3 rubygem-activesupport-3_2-3.2.12-0.21.1 as a component of SUSE WebYast 1.3 portus as a component of SUSE Linux Enterprise Module for Containers 12 ruby2.1-rubygem-actionmailer-4_2 as a component of SUSE OpenStack Cloud 7 rubygem-actionmailer-4_2 as a component of SUSE OpenStack Cloud 7 ruby2.1-rubygem-actionmailer-4_2 as a component of SUSE OpenStack Cloud Crowbar 8 rubygem-actionmailer-4_2 as a component of SUSE OpenStack Cloud Crowbar 8 ruby2.1-rubygem-actionmailer-4_2 as a component of SUSE OpenStack Cloud Crowbar 9 rubygem-actionmailer-4_2 as a component of SUSE OpenStack Cloud Crowbar 9 The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences. CVE-2015-7576 SUSE Enterprise Storage 2.1:ruby2.1-rubygem-actionpack-4_2-4.2.2-6.1 SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1 SUSE Lifecycle Management Server 1.3:rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Lifecycle Management Server 1.3:rubygem-activesupport-3_2-3.2.12-0.21.1 SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4 SUSE Linux Enterprise Software Development Kit 11 SP3:rubygem-activesupport-3_2-3.2.12-0.18.1 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Linux Enterprise Software Development Kit 11 SP4:rubygem-activesupport-3_2-3.2.12-0.21.1 SUSE OpenStack Cloud 5:ruby2.1-rubygem-actionpack-4_1-4.1.9-9.1 SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-15.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-actionpack-4_2-4.2.2-6.1 SUSE OpenStack Cloud 6:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1 SUSE Studio Onsite 1.3:libcontainment-insomnia-0.1.1-0.9.4.19 SUSE Studio Onsite 1.3:libjansson4-2.2.1-0.9.11.6 SUSE Studio Onsite 1.3:qemu-ext2-0.1.1-0.9.4.19 SUSE Studio Onsite 1.3:rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE Studio Onsite 1.3:rubygem-activesupport-3_2-3.2.12-0.21.1 SUSE Studio Onsite 1.3:rubygem-bundler19-1.7.0-0.13.10 SUSE Studio Onsite 1.3:studio-help-1.3.20-0.6.9 SUSE Studio Onsite 1.3:susestudio-1.3.14-52.1 SUSE Studio Onsite 1.3:susestudio-bundled-packages-1.3.14-52.1 SUSE Studio Onsite 1.3:susestudio-common-1.3.14-52.1 SUSE Studio Onsite 1.3:susestudio-runner-1.3.14-52.1 SUSE Studio Onsite 1.3:susestudio-sid-1.3.14-52.1 SUSE Studio Onsite 1.3:susestudio-ui-server-1.3.14-52.1 SUSE Studio Onsite Runner 1.3:libcontainment-insomnia-0.1.1-0.9.4.19 SUSE Studio Onsite Runner 1.3:libjansson4-2.2.1-0.9.11.6 SUSE Studio Onsite Runner 1.3:qemu-ext2-0.1.1-0.9.4.19 SUSE Studio Onsite Runner 1.3:rubygem-bundler19-1.7.0-0.13.10 SUSE Studio Onsite Runner 1.3:studio-help-1.3.20-0.6.9 SUSE Studio Onsite Runner 1.3:susestudio-1.3.14-52.1 SUSE Studio Onsite Runner 1.3:susestudio-bundled-packages-1.3.14-52.1 SUSE Studio Onsite Runner 1.3:susestudio-common-1.3.14-52.1 SUSE Studio Onsite Runner 1.3:susestudio-runner-1.3.14-52.1 SUSE Studio Onsite Runner 1.3:susestudio-sid-1.3.14-52.1 SUSE Studio Onsite Runner 1.3:susestudio-ui-server-1.3.14-52.1 SUSE WebYast 1.3:rubygem-actionpack-3_2-3.2.12-0.23.1 SUSE WebYast 1.3:rubygem-activesupport-3_2-3.2.12-0.21.1 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N