Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2015-1820: rest-client passes values from Set-Cookie headers to arbitrary redirection target #369

Closed
ab opened this issue Mar 24, 2015 · 2 comments
Assignees
Milestone

Comments

@ab
Copy link
Member

ab commented Mar 24, 2015

When Ruby rest-client [1] processes an HTTP redirection response, it blindly passes along the values from any Set-Cookie headers to the redirection target, regardless of domain, path, or expiration.

This is very similar to CVE-2015-2296, which affected python-requests.
http://www.openwall.com/lists/oss-security/2015/03/14/4

The issue could be similarly exploited in the following ways:

  • If you are the redirection source (i.e. you can make rest-client hit
    your URL), you can make rest-client perform a request to any
    third-party domain with cookies of your choosing. This may be useful
    in performing a session fixation attack.
  • If you are the redirection target (i.e. you can make a third-party
    site redirect to your URL), you can steal any cookies set by the
    third-party redirection.

The behavior was introduced in rest-client 1.6.1 by this commit:
75ab0dc.
All subsequently released 1.6.x and 1.7.x versions are affected.

This issue is expected to be fixed in a forthcoming rest-client 1.8.0 release.

External links

Red Hat: https://bugzilla.redhat.com/show_bug.cgi?id=1205291
oss-sec: https://marc.info/?l=oss-security&m=142717222416509&w=2

Not yet active:
Mitre: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2015-1820
NVD: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1820

@ab ab self-assigned this Mar 24, 2015
@ab ab added this to the 1.8.0 milestone Mar 24, 2015
@ab
Copy link
Member Author

ab commented Mar 24, 2015

Fixed in 1.8.0.

@ab ab closed this as completed Mar 24, 2015
ab added a commit to ab/ruby-advisory-db that referenced this issue Mar 25, 2015
sbleon added a commit to sbleon/pivotal-tracker that referenced this issue Mar 26, 2015
jsmestad added a commit to jsmestad/pivotal-tracker that referenced this issue Mar 26, 2015
ab added a commit to ab/ruby-advisory-db that referenced this issue Mar 26, 2015
philippbayer added a commit to philippbayer/mendeley that referenced this issue Mar 27, 2015
dandrabik added a commit to kickstarter/amazon_flex_pay that referenced this issue Mar 27, 2015
fiedl added a commit to fiedl/refile that referenced this issue May 8, 2015
Gemnasium Report:

  OSVDB-119878 - SESSION FIXATION VULNERABILITY VIA SET-COOKIE HEADERS
  rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP 30x redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration.

  If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack.

  If you control a redirection target, you can steal any cookies set by the third-party redirection request.

  Affected versions: Prior to 1.8.0
  Not affected: Prior 1.6.1
  Fixed versions: 1.8.0
  Identifier: OSVDB-119878
  Solution: Upgrade to latest version.
  Credit: Andy Brody - Stripe
  Source: rest-client/rest-client#369

See also:
https://gemnasium.com/refile/refile
fiedl added a commit to fiedl/your_platform that referenced this issue May 31, 2015
Originally, we had to revert the update (fiedl/wingolfsplattform@d0af733) due to a dependency conflict with refile (https://github.com/refile/refile).

Following refile's contribution guidelines, we did not file a pull-request or issue, but informed them via email about the security issue and fix: fiedl/refile@7f3b25a

Now, refile has fixed the issue: refile/refile@74c4b62

----

Trello: https://trello.com/c/aCFWQvgE/819-security-fix-rest-client

----

Original Pull Request for refile:

Updating rest-client to 1.8.0 to fix security issue OSVDB-119878.

All tests are passing.
Local test against one of our projects was successful.

Please release a new gem version after merging this. Thanks!

Gemnasium Report

> **OSVDB-119878 - SESSION FIXATION VULNERABILITY VIA SET-COOKIE HEADERS**
> rest-client in abstract_response.rb improperly handles Set-Cookie headers on HTTP 30x redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration.
>
> If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack.
>
> If you control a redirection target, you can steal any cookies set by the third-party redirection request.
>
> Affected versions: Prior to 1.8.0
> Not affected: Prior 1.6.1
> Fixed versions: 1.8.0
> Identifier: OSVDB-119878
> Solution: Upgrade to latest version.
> Credit: Andy Brody - Stripe
> Source: rest-client/rest-client#369

See also:
https://gemnasium.com/refile/refile
Koronen added a commit to Koronen/stringer that referenced this issue Jun 13, 2015
    $ bundle-audit
    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-1820
    Criticality: Unknown
    URL: rest-client/rest-client#369
    Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
    Solution: upgrade to >= 1.8.0

    Name: rest-client
    Version: 1.6.7
    Advisory: OSVDB-117461
    Criticality: Unknown
    URL: http://www.osvdb.org/show/osvdb/117461
    Title: Rest-Client Gem for Ruby logs password information in plaintext
    Solution: upgrade to >= 1.7.3

    Unpatched versions found!
dotemacs pushed a commit to hmcts/hwf-staffapp that referenced this issue Jun 22, 2015
Upgraded rest-client due to this vulnarability:

rest-client/rest-client#369
@trabulmonkee
Copy link

I ran into this 'breaks-compatibility' issue after upgrading from 1.7.2 to 1.8.0. What is the recommended way to update to work with this fix? Is it a security setting configuration change on the server to stop sending set-cookie on redirects?
or
On redirects issued by the server, should the server supply the same set-cookie header with the 302 response?

Basically what I am seeing with this change. Is the new 'Cookie' value set in abstract_response -> follow_redirection is empty. But the original :cookie value is still correct. I am confused.

rspeicher added a commit to gitlabhq/gitlab-ci that referenced this issue Jul 14, 2015
Addresses security issues in its rest-client dependencies:

- rest-client/rest-client#369
- http://www.osvdb.org/show/osvdb/117461
ayufan added a commit to gitlabhq/gitlab-ci that referenced this issue Jul 14, 2015
Gem version updates

### Bump rails, jquery-rails, sprockets, sass-rails versions

Addresses security advisories:

- https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
- https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc

---

### Bump coveralls version

Addresses security issues in its rest-client dependencies:

- rest-client/rest-client#369
- http://www.osvdb.org/show/osvdb/117461

Closes #214

See merge request !194
voxxit added a commit to voxxit/engineyard-cloud-client that referenced this issue Aug 30, 2015
* OSVDB-119878 - Session fixation vulnerability via Set-Cookie headers - rest-client/rest-client#369
* OSVDB-117461 - Log plaintext password local disclosure - rest-client/rest-client#349
voxxit added a commit to voxxit/engineyard-cloud-client that referenced this issue Aug 30, 2015
* OSVDB-119878 - Session fixation vulnerability via Set-Cookie headers - rest-client/rest-client#369
* OSVDB-117461 - Log plaintext password local disclosure - rest-client/rest-client#349
acuppy pushed a commit to CodingZeal/ruby-trello that referenced this issue Sep 21, 2015
From https://github.com/rubysec/ruby-advisory-db:

Name: rest-client
Version: 1.7.3
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via
Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Also fix test suite.
JuanitoFatas added a commit to JuanitoFatas/hound that referenced this issue Oct 21, 2015
$ bundle-audit
Insecure Source URI found: git://github.com/octokit/octokit.rb.git
Name: jquery-rails
Version: 3.1.1
Advisory: CVE-2015-1840
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/XIZPbobuwaY
Title: CSRF Vulnerability in jquery-rails
Solution: upgrade to >= 4.0.4, ~> 3.1.3

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.7.2
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: sentry-raven
Version: 0.9.4
Advisory: CVE-2014-9490
Criticality: Medium
URL: http://osvdb.org/show/osvdb/115654
Title: sentry-raven Gem for Ruby contains a flaw that can result in a denial of service
Solution: upgrade to >= 0.12.2

Name: uglifier
Version: 2.5.3
Advisory: 126747
Criticality: Unknown
URL: mishoo/UglifyJS#751
Title: uglifier incorrectly handles non-boolean comparisons during minification
Solution: upgrade to >= 2.7.2

Vulnerabilities found!
mathias pushed a commit to heroku/kensa that referenced this issue Nov 24, 2015
Koronen added a commit to stringer-rss/stringer that referenced this issue Jan 24, 2016
Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

    $ bundle-audit check
    Name: activesupport
    Version: 4.0.13
    Advisory: CVE-2015-3227
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
    Title: Possible Denial of Service attack in Active Support
    Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-5312
    Criticality: High
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
    Title: Nokogiri gem contains several vulnerabilities in libxml2
    Solution: upgrade to >= 1.6.7.1

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-7499
    Criticality: Medium
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
    Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
           libxml2
    Solution: upgrade to >= 1.6.7.2

    Name: nokogiri
    Version: 1.6.1
    Advisory: CVE-2015-1819
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1374
    Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
    Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

    Name: nokogiri
    Version: 1.6.1
    Advisory: 118481
    Criticality: Unknown
    URL: sparklemotion/nokogiri#1087
    Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
           Consumption
    Remote DoS
    Solution: upgrade to >= 1.6.3

    Name: rack
    Version: 1.5.2
    Advisory: CVE-2015-3225
    Criticality: Unknown
    URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
    Title: Potential Denial of Service Vulnerability in Rack
    Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-1820
    Criticality: Unknown
    URL: rest-client/rest-client#369
    Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
           headers in 30x redirection responses
    Solution: upgrade to >= 1.8.0

    Name: rest-client
    Version: 1.6.7
    Advisory: CVE-2015-3448
    Criticality: Unknown
    URL: http://www.osvdb.org/show/osvdb/117461
    Title: Rest-Client Gem for Ruby logs password information in plaintext
    Solution: upgrade to >= 1.7.3

    Vulnerabilities found!
Koronen added a commit to stringer-rss/stringer that referenced this issue Jan 24, 2016
Updates four vulnerable gems, as reported by the `bundler-audit` gem.

- [X] activesupport
- [X] nokogiri
- [X] rack
- [X] rest-client

```
$ bundle-audit check
Name: activesupport
Version: 4.0.13
Advisory: CVE-2015-3227
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/rubyonrails-security/bahr2JLnxvk
Title: Possible Denial of Service attack in Active Support
Solution: upgrade to >= 4.2.2, ~> 4.1.11, ~> 3.2.22

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-5312
Criticality: High
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/aSbgDiwb24s
Title: Nokogiri gem contains several vulnerabilities in libxml2
Solution: upgrade to >= 1.6.7.1

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-7499
Criticality: Medium
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/Dy7YiKb_pMM
Title: Nokogiri gem contains a heap-based buffer overflow vulnerability in
       libxml2
Solution: upgrade to >= 1.6.7.2

Name: nokogiri
Version: 1.6.1
Advisory: CVE-2015-1819
Criticality: Unknown
URL: sparklemotion/nokogiri#1374
Title: Nokogiri gem contains several vulnerabilities in libxml2 and libxslt
Solution: upgrade to ~> 1.6.6.4, >= 1.6.7.rc4

Name: nokogiri
Version: 1.6.1
Advisory: 118481
Criticality: Unknown
URL: sparklemotion/nokogiri#1087
Title: Nokogiri Gem for JRuby XML Document Root Element Handling Memory
       Consumption
Remote DoS
Solution: upgrade to >= 1.6.3

Name: rack
Version: 1.5.2
Advisory: CVE-2015-3225
Criticality: Unknown
URL: https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc
Title: Potential Denial of Service Vulnerability in Rack
Solution: upgrade to >= 1.6.2, ~> 1.5.4, ~> 1.4.6

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie
       headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Vulnerabilities found!
```
CloCkWeRX added a commit to CloCkWeRX/chef-newrelic-sysmond that referenced this issue Apr 18, 2016
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0
Vulnerabilities found!
CloCkWeRX added a commit to CloCkWeRX/writeit-rails that referenced this issue Feb 6, 2017
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0
KrauseFx added a commit to fastlane/fastlane that referenced this issue Jul 25, 2017
jankeesvw added a commit to my-channels/ruby-v2-sdk that referenced this issue Aug 8, 2017
Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-1820
Criticality: Unknown
URL: rest-client/rest-client#369
Title: rubygem-rest-client: session fixation vulnerability via
Set-Cookie headers in 30x redirection responses
Solution: upgrade to >= 1.8.0

Name: rest-client
Version: 1.6.7
Advisory: CVE-2015-3448
Criticality: Unknown
URL: http://www.osvdb.org/show/osvdb/117461
Title: Rest-Client Gem for Ruby logs password information in plaintext
Solution: upgrade to >= 1.7.3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants