Skip to content

rest-client Gem Vulnerable to Session Fixation

Critical severity GitHub Reviewed Published Aug 13, 2018 to the GitHub Advisory Database • Updated Sep 5, 2023

Package

bundler rest-client (RubyGems)

Affected versions

>= 1.6.1.a, < 1.8.0

Patched versions

1.8.0

Description

REST client for Ruby (aka rest-client) versions 1.6.1.a until 1.8.0 allow remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.

References

Published to the GitHub Advisory Database Aug 13, 2018
Reviewed Jun 16, 2020
Last updated Sep 5, 2023

Severity

Critical
9.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses

CVE ID

CVE-2015-1820

GHSA ID

GHSA-3fhf-6939-qg8p

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.