Skip to content

Secure/signed cookies share secrets between sites in a multi-site application

Moderate
jomaxro published GHSA-844m-cpr9-jcmh Nov 15, 2021

Package

bundler rails_multisite (RubyGems)

Affected versions

< 4.0.0

Patched versions

>= 4.0.0

Description

Impact

This vulnerability impacts any Rails applications using rails_multisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application.

Patches

The issue has been patched in v4 of the rails_multisite gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

Severity

Moderate
6.2
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
High
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H

CVE ID

CVE-2021-41263

Weaknesses

No CWEs