New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CVE-2015-1820: rest-client passes values from Set-Cookie headers to arbitrary redirection target #369
Comments
|
Fixed in 1.8.0. |
Update rest-client per rest-client/rest-client#369
Gemnasium Report: OSVDB-119878 - SESSION FIXATION VULNERABILITY VIA SET-COOKIE HEADERS rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP 30x redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal any cookies set by the third-party redirection request. Affected versions: Prior to 1.8.0 Not affected: Prior 1.6.1 Fixed versions: 1.8.0 Identifier: OSVDB-119878 Solution: Upgrade to latest version. Credit: Andy Brody - Stripe Source: rest-client/rest-client#369 See also: https://gemnasium.com/refile/refile
Originally, we had to revert the update (fiedl/wingolfsplattform@d0af733) due to a dependency conflict with refile (https://github.com/refile/refile). Following refile's contribution guidelines, we did not file a pull-request or issue, but informed them via email about the security issue and fix: fiedl/refile@7f3b25a Now, refile has fixed the issue: refile/refile@74c4b62 ---- Trello: https://trello.com/c/aCFWQvgE/819-security-fix-rest-client ---- Original Pull Request for refile: Updating rest-client to 1.8.0 to fix security issue OSVDB-119878. All tests are passing. Local test against one of our projects was successful. Please release a new gem version after merging this. Thanks! Gemnasium Report > **OSVDB-119878 - SESSION FIXATION VULNERABILITY VIA SET-COOKIE HEADERS** > rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP 30x redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. > > If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. > > If you control a redirection target, you can steal any cookies set by the third-party redirection request. > > Affected versions: Prior to 1.8.0 > Not affected: Prior 1.6.1 > Fixed versions: 1.8.0 > Identifier: OSVDB-119878 > Solution: Upgrade to latest version. > Credit: Andy Brody - Stripe > Source: rest-client/rest-client#369 See also: https://gemnasium.com/refile/refile
$ bundle-audit
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0
Name: rest-client
Version: 1.6.7
Advisory: OSVDB-117461
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3
Unpatched versions found!
Upgraded rest-client due to this vulnarability: rest-client/rest-client#369
|
I ran into this 'breaks-compatibility' issue after upgrading from 1.7.2 to 1.8.0. What is the recommended way to update to work with this fix? Is it a security setting configuration change on the server to stop sending set-cookie on redirects? Basically what I am seeing with this change. Is the new 'Cookie' value set in abstract_response -> follow_redirection is empty. But the original :cookie value is still correct. I am confused. |
Addresses security issues in its rest-client dependencies: - rest-client/rest-client#369 - http://www.osvdb.org/show/osvdb/117461
Gem version updates ### Bump rails, jquery-rails, sprockets, sass-rails versions Addresses security advisories: - https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY - https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc --- ### Bump coveralls version Addresses security issues in its rest-client dependencies: - rest-client/rest-client#369 - http://www.osvdb.org/show/osvdb/117461 Closes #214 See merge request !194
* OSVDB-119878 - Session fixation vulnerability via Set-Cookie headers - rest-client/rest-client#369 * OSVDB-117461 - Log plaintext password local disclosure - rest-client/rest-client#349
* OSVDB-119878 - Session fixation vulnerability via Set-Cookie headers - rest-client/rest-client#369 * OSVDB-117461 - Log plaintext password local disclosure - rest-client/rest-client#349
From https://github.com/rubysec/ruby-advisory-db: Name: rest-client Version: 1.7.3 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Also fix test suite.
$ bundle-audit Insecure Source URI found: git://github.com/octokit/octokit.rb.git Name: jquery-rails Version: 3.1.1 Advisory: CVE-2015-1840 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY Title: CSRF Vulnerability in jquery-rails Solution: upgrade to >= 4.0.4, ~> 3.1.3 Name: rest-client Version: 1.7.2 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Name: rest-client Version: 1.7.2 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Name: sentry-raven Version: 0.9.4 Advisory: CVE-2014-9490 Criticality: Medium URL: http://osvdb.org/show/osvdb/115654 Title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service Solution: upgrade to >= 0.12.2 Name: uglifier Version: 2.5.3 Advisory: 126747 Criticality: Unknown URL: mishoo/UglifyJS#751 Title: uglifier incorrectly handles non-boolean comparisons during minification Solution: upgrade to >= 2.7.2 Vulnerabilities found!
- Fixes CVE: http://www.osvdb.org/show/osvdb/117461 - More info: rest-client/rest-client#369
Updates four vulnerable gems, as reported by the `bundler-audit` gem.
- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client
$ bundle-audit check
Name: activesupport
Version: 4.0.13
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22
Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-5312
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1
Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
libxml2
Solution: upgrade to >= 1.6.7.2
Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4
Name: nokogiri
Version: 1.6.1
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
Consumption
Remote DoS
Solution: upgrade to >= 1.6.3
Name: rack
Version: 1.5.2
Advisory: CVE-2015-3225
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Title: Potential Denial of Service Vulnerability in Rack
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
headers in 30x redirection responses
Solution: upgrade to >= 1.8.0
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3
Vulnerabilities found!
Updates four vulnerable gems, as reported by the `bundler-audit` gem. - [X] activesupport - [X] nokogiri - [X] rack - [X] rest-client ``` $ bundle-audit check Name: activesupport Version: 4.0.13 Advisory: CVE-2015-3227 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk Title: Possible Denial of Service attack in Active Support Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-5312 Criticality: High URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s Title: Nokogiri gem contains several vulnerabilities in libxml2 Solution: upgrade to >= 1.6.7.1 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-7499 Criticality: Medium URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in libxml2 Solution: upgrade to >= 1.6.7.2 Name: nokogiri Version: 1.6.1 Advisory: CVE-2015-1819 Criticality: Unknown URL: sparklemotion/nokogiri#1374 Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4 Name: nokogiri Version: 1.6.1 Advisory: 118481 Criticality: Unknown URL: sparklemotion/nokogiri#1087 Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory Consumption Remote DoS Solution: upgrade to >= 1.6.3 Name: rack Version: 1.5.2 Advisory: CVE-2015-3225 Criticality: Unknown URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc Title: Potential Denial of Service Vulnerability in Rack Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Vulnerabilities found! ```
Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Vulnerabilities found!
Name: rest-client Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0
Name: rest-client Version: 1.6.7 Advisory: CVE-2015-1820 Criticality: Unknown URL: rest-client/rest-client#369 Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses Solution: upgrade to >= 1.8.0 Name: rest-client Version: 1.6.7 Advisory: CVE-2015-3448 Criticality: Unknown URL: http://www.osvdb.org/show/osvdb/117461 Title: Rest-Client Gem for Ruby logs password information in plaintext Solution: upgrade to >= 1.7.3
When Ruby rest-client [1] processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration.
This is very similar to CVE-2015-2296, which affected python-requests.
http://www.openwall.com/lists/oss-security/2015/03/14/4
The issue could be similarly exploited in the following ways:
your URL), you can make rest-client perform a request to any
third-party domain with cookies of your choosing. This may be useful
in performing a session fixation attack.
site redirect to your URL), you can steal any cookies set by the
third-party redirection.
The behavior was introduced in rest-client 1.6.1 by this commit:
75ab0dc.
All subsequently released 1.6.x and 1.7.x versions are affected.
This issue is expected to be fixed in a forthcoming rest-client 1.8.0 release.
External links
Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1205291
oss-sec: https://marc.info/?l=oss-security&m=142717222416509&w=2
Not yet active:
Mitre: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1820
NVD: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1820
The text was updated successfully, but these errors were encountered: