[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Issues regarding ruby-rack/CVE-2019-16782

Ola Lundqvist <ola@inguza.com> writes:

> So regarding your throught about why Rack has this and not others. Well I
> think all have the same issue. I think it is a little of a stretch that
> this can be used in practice. I mean an attacker must do a broad search of
> all possible session identifiers to make use of this. Or have I
> misunderstood something?

I suspect you are mostly correct.

However how many people would really notice if an attacker made numerous
connections to their website in attempt to exploit this?
Brian May <bam@debian.org>

Reply to: