GHSA-p4c6-77gc-694x

Suggest an improvement
Source
https://github.com/advisories/GHSA-p4c6-77gc-694x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/10/GHSA-p4c6-77gc-694x/GHSA-p4c6-77gc-694x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-p4c6-77gc-694x
Aliases
Published
2017-10-24T18:33:38Z
Modified
2024-02-16T08:18:18.735165Z
Summary
session fixation protection mechanism in cgi_process.rb in Rails
Details

The session fixation protection mechanism in cgiprocess.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookieonly attribute from the DEFAULTSESSIONOPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks. NOTE: this is due to an incomplete fix for CVE-2007-5380.

References

Affected packages

RubyGems / rails

Package

Name
rails
Purl
pkg:gem/rails

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.6

Affected versions

0.*

0.8.0
0.8.5
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.4.1
0.9.5
0.10.0
0.10.1
0.11.0
0.11.1
0.12.0
0.12.1
0.13.0
0.13.1
0.14.1
0.14.2
0.14.3
0.14.4

1.*

1.0.0
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5