{"vulnerability": "cve-2020-15237", "sightings": [{"uuid": "b38e3197-2bda-4cb0-b93f-02c55d264c0c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2020-15237", "type": "seen", "source": "https://t.me/cibsecurity/15062", "content": "\u203c CVE-2020-15237 \u203c\n\nIn Shrine before version 3.3.0, when using the `derivation_endpoint` plugin, it's possible for the attacker to use a timing attack to guess the signature of the derivation URL. The problem has been fixed by comparing sent and calculated signature in constant time, using `Rack::Utils.secure_compare`. Users using the `derivation_endpoint` plugin are urged to upgrade to Shrine 3.3.0 or greater. A possible workaround is provided in the linked advisory.\n\n\ud83d\udcd6 Read\n\nvia \"National Vulnerability Database\".", "creation_timestamp": "2020-10-05T22:27:25.000000Z"}]}