GHSA-844m-cpr9-jcmh

Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/11/GHSA-844m-cpr9-jcmh/GHSA-844m-cpr9-jcmh.json
Aliases
  • CVE-2021-41263
Published
2021-11-15T17:54:01Z
Modified
2022-09-22T03:59:32.233750Z
Details

Impact

This vulnerability impacts any Rails applications using rails_multisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application.

Patches

The issue has been patched in v4 of the rails_multisite gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

References

Affected packages

RubyGems / rails_multisite

rails_multisite

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0
Fixed
4.0.0

Affected versions

0.*

0.0.1

1.*

1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.1.0
1.1.0.rc1
1.1.0.rc2
1.1.0.rc3
1.1.0.rc4
1.1.1
1.1.2

2.*

2.0.1
2.0.2
2.0.4
2.0.6
2.0.7
2.1.0
2.1.1
2.1.2
2.2.2
2.3.0
2.4.0
2.5.0

3.*

3.0.0
3.1.0