Vulnerability Name:

CVE-2019-16779 (CCN-173601)

Assigned:2019-12-16
Published:2019-12-16
Updated:2021-10-28
Summary:In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.
CVSS v3 Severity:5.9 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
5.2 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-362
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2019-16779

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2020:0036

Source: SUSE
Type: Third Party Advisory
openSUSE-SU-2020:0139

Source: XF
Type: UNKNOWN
rubygems-cve201916779-info-disc(173601)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29

Source: CCN
Type: excon GIT Repository
Interrupted Persistent Connections May Leak Response Data

Source: CONFIRM
Type: Third Party Advisory
https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20200119 [SECURITY] [DLA 2070-1] ruby-excon security update

Source: CCN
Type: IBM Security Bulletin 6123507 (License Metric Tool)
A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2019-16779).

Vulnerable Configuration:Configuration 1:
  • cpe:/a:excon_project:excon:*:*:*:*:*:*:*:* (Version < 0.71.0)

    • Configuration 2:
  • cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
  • OR cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:license_metric_tool:9.2:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201916779
    V
    		CVE-2019-16779
    2022-05-20
    oval:org.opensuse.security:def:64582
    P
    		Security update for postgresql12 (Moderate)
    2021-09-29
    oval:org.opensuse.security:def:13769
    P
    		apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14038
    P
    		stunnel-5.00-3.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14766
    P
    		shadow-4.2.1-27.19.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14013
    P
    		procmail-3.22-267.12 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14744
    P
    		python-cupshelpers-1.5.7-7.5 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13920
    P
    		libksba8-1.3.0-23.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14106
    P
    		cpp48-4.8.5-30.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13901
    P
    		libgcrypt20-1.6.1-16.33.1 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14093
    P
    		avahi-0.6.32-30.36 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13884
    P
    		libXxf86dga1-1.1.4-3.58 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:14082
    P
    		apache-commons-httpclient-3.1-4.364 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:13837
    P
    		gpg2-2.0.24-3.2 on GA media (Moderate)
    2021-08-16
    oval:org.opensuse.security:def:63473
    P
    		gimp-2.10.12-7.25 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62771
    P
    		libXp6-32bit-1.0.3-1.24 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62767
    P
    		libSDL2-2_0-0-2.0.8-9.63 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62774
    P
    		libXvnc-devel-1.9.0-19.9.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:62799
    P
    		libmodplug-devel-0.3.19-2.10.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:64524
    P
    		Security update for ucode-intel (Important)
    2021-06-10
    oval:org.opensuse.security:def:13747
    P
    		wireshark-1.12.7-15.1 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:13739
    P
    		tomcat-8.0.23-1.80 on GA media (Moderate)
    2021-06-08
    oval:org.opensuse.security:def:64694
    P
    		Security update for curl (Moderate)
    2021-05-26
    oval:org.opensuse.security:def:74636
    P
    		Security update for xstream (Important)
    2021-01-20
    oval:org.opensuse.security:def:63620
    P
    		gstreamer-plugins-ugly-1.16.2-1.75 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:63270
    P
    		libcacard-devel-2.5.3-1.27 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:62977
    P
    		perl-PerlMagick-7.0.7.34-8.3 on GA media (Moderate)
    2020-12-03
    oval:org.opensuse.security:def:38080
    P
    		tftp on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38534
    P
    		zypper on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:63849
    P
    		Security update for xen (Important)
    2020-12-01
    oval:org.opensuse.security:def:37979
    P
    		libvirglrenderer0 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38495
    P
    		systemtap on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37842
    P
    		libMagickCore-6_Q16-1 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38446
    P
    		perl-XML-LibXML on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39286
    P
    		Security update for rubygem-excon (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37758
    P
    		cron on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38387
    P
    		libunwind on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:39244
    P
    		Security update for puppet (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37747
    P
    		ceph-common on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64315
    P
    		libXxf86vm-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38227
    P
    		java-1_7_0-openjdk on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38606
    P
    		gnome-keyring on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:37746
    P
    		bzip2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64314
    P
    		libXxf86dga-devel on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38137
    P
    		axis on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:74769
    P
    		Security update for rubygem-excon (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:38562
    P
    		coolkey on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64422
    P
    		openssh on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:64178
    P
    		Security update for raptor (Important)
    2020-12-01
    oval:org.opensuse.security:def:100225
    P
    		 (Moderate)
    2020-09-09
    oval:org.opensuse.security:def:93512
    P
    		Security update for rubygem-excon (Moderate)
    2020-01-29
    oval:org.opensuse.security:def:110431
    P
    		Security update for rubygem-excon (Moderate)
    2020-01-13
    oval:com.ubuntu.disco:def:2019167790000000
    V
    		CVE-2019-16779 on Ubuntu 19.04 (disco) - medium.
    2019-12-16
    oval:com.ubuntu.bionic:def:2019167790000000
    V
    		CVE-2019-16779 on Ubuntu 18.04 LTS (bionic) - medium.
    2019-12-16
    oval:com.ubuntu.xenial:def:2019167790000000
    V
    		CVE-2019-16779 on Ubuntu 16.04 LTS (xenial) - medium.
    2019-12-16
    BACK
    excon_project excon *
    opensuse backports sle 15.0 sp1
    opensuse leap 15.1
    debian debian linux 8.0
    ibm license metric tool 9.2