SCA: security update for rack (GHSA-hrqr-hxpp-chr3)

medium Tenable Self-Hosted Container Security Plugin ID 422144

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This
vulnerability is patched in versions 1.6.12 and 2.0.8. Attackers may be able to find and hijack sessions
by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database
that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the
amount of time it takes to look up a session, an attacker may be able to find a valid session id and
hijack the session. The session id itself may be generated randomly, but the way the session is indexed by
the backing store does not use a secure comparison. (CVE-2019-16782)

See Also

https://github.com/advisories/GHSA-hrqr-hxpp-chr3

Plugin Details

Severity: Medium

ID: 422144

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-16782

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/18/2019

Vulnerability Publication Date: 12/18/2019

Reference Information

CVE: CVE-2019-16782