-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2024-26144.yml
45 lines (35 loc) · 1.43 KB
/
CVE-2024-26144.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
---
gem: activestorage
framework: rails
cve: 2024-26144
ghsa: 8h22-8cf7-hq6g
url: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
title: Possible Sensitive Session Information Leak in Active Storage
date: 2024-02-21
description: |
There is a possible sensitive session information leak in Active Storage.
By default, Active Storage sends a `Set-Cookie` header along with the user’s
session cookie when serving blobs. It also sets `Cache-Control` to public.
Certain proxies may cache the `Set-Cookie`, leading to an information leak.
This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7
# Impact
A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker’s session or vice
versa.
This was patched in 7.1.0 but not previously identified as a security
vulnerability.
All users running an affected release should either upgrade or use one of the
workarounds immediately.
# Releases
The fixed releases are available at the normal locations.
# Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
`Set-Cookie` headers.
cvss_v3: 5.3
unaffected_versions:
- "< 5.2.0"
- ">= 7.1.0"
patched_versions:
- "~> 6.1.7, >= 6.1.7.7"
- ">= 7.0.8.1"