In RubyGem excon before 0.71.0, there was a race condition around persistent connections, where a connection which is interrupted (such as by a timeout) would leave data on the socket. Subsequent requests would then read this data, returning content from the previous response. The race condition window appears to be short, and it would be difficult to purposefully exploit this.
Workaround:
The product does not maintain or incorrectly maintains control over a resource throughout its lifetime of creation, use, and release.
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
| Link | Tags |
|---|---|
| https://github.com/excon/excon/security/advisories/GHSA-q58g-455p-8vw9 | third party advisory |
| https://github.com/excon/excon/commit/ccb57d7a422f020dc74f1de4e8fb505ab46d8a29 | third party advisory patch |
| http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00021.html | third party advisory vendor advisory |
| https://lists.debian.org/debian-lts-announce/2020/01/msg00015.html | third party advisory mailing list |
| http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00062.html | third party advisory vendor advisory |