Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Timing attack in Shrine
Vulnerability Description
In Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
通过时间差异性导致的信息暴露
Vulnerability Title
Shrine 安全漏洞
Vulnerability Description
Shrine是个人开发者的一个 Ruby 语言的文件工具包。 Shrine 3.3.0之前版本存在安全漏洞,该漏洞源于当使用“派生端点”插件时,攻击者可利用该漏洞可能会使用定时攻击来猜测派生URL的签名。
CVSS Information
N/A
Vulnerability Type
N/A