CVE-2013-0263

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

Published: 2013-02-08 Last update: 2026-04-29 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2013-0263 is rated Moderate Risk (47.4/100): CVSS Medium severity, with high exploitation likelihood (EPSS 5.28%, 91th percentile). EPSS ranks this CVE among the most likely to be exploited in the near term. High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2013-0263

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 16.07% 5.28% -10.79%
2 2026-04-20 8.63% 16.07% +7.44%
3 2026-03-26 8.63%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2013-0263

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
5.1 2.0 MEDIUM
AV:N/AC:H/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:H)
Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 4.9 6.4 [email protected]

Weakness enumeration for CVE-2013-0263

GitHub Security Advisory for CVE-2013-0263

GHSA-xc85-32mf-xpv8 · Severity: medium · Ecosystem: rubygems — Rack arbitrary code execution via timing attack

OS Trackers for CVE-2013-0263

vendor priority summary link
debian not yet assigned CVE-2013-0263 not yet assigned priority: Debian including 1 source packages (ruby-rack), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. https://security-tracker.debian.org/tracker/CVE-2013-0263
gentoo high CVE-2013-0263: 1 GLSA(s) (201405-10), 1 atom(s) (dev-ruby/rack); latest impact high. https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2013-0263
redhat medium https://access.redhat.com/security/cve/CVE-2013-0263
suse medium CVE-2013-0263 severity moderate: SUSE including 49 source package names (ruby2.1-rubygem-chef-10.32.2-3.1, ruby2.1-rubygem-chef-10.32.2-3.2, …), 51 product×package rows across 6 product lines (SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5, SUSE Linux Enterprise Software Development Kit 11 SP4, … (6 product lines)): Fixed 47, Known Not Affected 4. https://www.suse.com/security/cve/CVE-2013-0263/
ubuntu medium CVE-2013-0263 medium priority: Ubuntu including 1 source packages (ruby-rack), 15 status rows across 15 suites (hardy, lucid, oneiric, precise, quantal, raring, saucy, trusty, upstream, utopic, vivid, wily, xenial, yakkety, zesty): released 9, DNE 3, ignored 3. https://ubuntu.com/security/CVE-2013-0263

Affected software / configurations for CVE-2013-0263

Vendor Product Version Raw CPE
rack_project rack 1.5.0 cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*
rack_project rack 1.5.1 cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*
rack_project rack 1.4.0 cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*
rack_project rack 1.4.1 cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*
rack_project rack 1.4.2 cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*
rack_project rack 1.4.3 cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*
rack_project rack 1.4.4 cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*
rack_project rack 1.3.0 cpe:2.3:a:rack_project:rack:1.3.0:*:*:*:*:*:*:*
rack_project rack 1.3.1 cpe:2.3:a:rack_project:rack:1.3.1:*:*:*:*:*:*:*
rack_project rack 1.3.2 cpe:2.3:a:rack_project:rack:1.3.2:*:*:*:*:*:*:*
rack_project rack 1.3.3 cpe:2.3:a:rack_project:rack:1.3.3:*:*:*:*:*:*:*
rack_project rack 1.3.4 cpe:2.3:a:rack_project:rack:1.3.4:*:*:*:*:*:*:*
rack_project rack 1.3.5 cpe:2.3:a:rack_project:rack:1.3.5:*:*:*:*:*:*:*
rack_project rack 1.3.6 cpe:2.3:a:rack_project:rack:1.3.6:*:*:*:*:*:*:*
rack_project rack 1.3.7 cpe:2.3:a:rack_project:rack:1.3.7:*:*:*:*:*:*:*
rack_project rack 1.3.8 cpe:2.3:a:rack_project:rack:1.3.8:*:*:*:*:*:*:*
rack_project rack 1.3.9 cpe:2.3:a:rack_project:rack:1.3.9:*:*:*:*:*:*:*
rack_project rack 1.2.0 cpe:2.3:a:rack_project:rack:1.2.0:*:*:*:*:*:*:*
rack_project rack 1.2.1 cpe:2.3:a:rack_project:rack:1.2.1:*:*:*:*:*:*:*
rack_project rack 1.2.2 cpe:2.3:a:rack_project:rack:1.2.2:*:*:*:*:*:*:*
rack_project rack 1.2.3 cpe:2.3:a:rack_project:rack:1.2.3:*:*:*:*:*:*:*
rack_project rack 1.2.4 cpe:2.3:a:rack_project:rack:1.2.4:*:*:*:*:*:*:*
rack_project rack 1.2.6 cpe:2.3:a:rack_project:rack:1.2.6:*:*:*:*:*:*:*
rack_project rack 1.2.7 cpe:2.3:a:rack_project:rack:1.2.7:*:*:*:*:*:*:*
rack_project rack 1.1.0 cpe:2.3:a:rack_project:rack:1.1.0:*:*:*:*:*:*:*
rack_project rack 1.1.4 cpe:2.3:a:rack_project:rack:1.1.4:*:*:*:*:*:*:*
rack_project rack 1.1.5 cpe:2.3:a:rack_project:rack:1.1.5:*:*:*:*:*:*:*
rack_project rack 1.1.6 cpe:2.3:a:rack_project:rack:1.1.6:*:*:*:*:*:*:*

References for CVE-2013-0263

URL Tags
http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html
http://rack.github.com/ Vendor Advisory
http://rhn.redhat.com/errata/RHSA-2013-0686.html
http://secunia.com/advisories/52033 Vendor Advisory
http://secunia.com/advisories/52134 Vendor Advisory
http://secunia.com/advisories/52774
http://www.debian.org/security/2013/dsa-2783
http://www.osvdb.org/89939
https://bugzilla.redhat.com/show_bug.cgi?id=909071
https://gist.github.com/codahale/f9f3781f7b54985bee94
https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07
https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11
https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J
https://groups.google.com/forum/#%21msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ
https://groups.google.com/forum/#%21msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ
https://groups.google.com/forum/#%21msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ
https://groups.google.com/forum/#%21msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ
https://puppet.com/security/cve/cve-2013-0263
https://twitter.com/coda/statuses/299732877745197056
cvelogic Threat Intelligence