VDB
CVE-2019-16779
CVE-2019-16779
PUBLISHED
In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.
EPSS 0.56% · 68.5th percentile
Risk Scores
EPSS Score
0.56%
68.5th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | ruby-excon | 0.54.0-1, 0.60.0-1, 0 |
| Ubuntu:16.04:LTS | ruby-excon | 0, 0.45.1-2 |
Exploit Intelligence
- https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 (circl)
- https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 (circl)
- openSUSE-SU-2020:0036 (circl)
- [debian-lts-announce] 20200119 [SECURITY] [DLA 2070-1] ruby-excon security update (circl)
- openSUSE-SU-2020:0139 (circl)
Timeline
- Dec 16, 2019 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Dec 27, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 1, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 4, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2019-16779 third-party-advisory
- https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 third-party-advisory
- https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2019-16779 third-party-advisory