Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2024-26144

Опубликовано: 27 фев. 2024
Источник: debian
EPSS Низкий

Описание

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
railsfixed2:7.2.2.1+dfsg-1package
railsnot-affectedbullseyepackage

Примечания

  • https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945

  • https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g

  • https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433 (v7.0.8.1)

  • https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3 (v6.1.7.7)

  • Introduced by: https://github.com/rails/rails/commit/dfb5a82b259e134eac89784ac4ace0c44d1b4aee (v6.1.0rc1)

  • Proxying was introduced in v6.1.0

EPSS

Процентиль: 84%
0.02313
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2024-26144

CVSS3: 5.3
ubuntu
почти 2 года назад

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

redhat логотип

CVE-2024-26144

CVSS3: 5.3
redhat
почти 2 года назад

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

nvd логотип

CVE-2024-26144

CVSS3: 5.3
nvd
почти 2 года назад

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

github логотип

GHSA-8h22-8cf7-hq6g

CVSS3: 5.3
github
почти 2 года назад

Rails has possible Sensitive Session Information Leak in Active Storage

fstec логотип

BDU:2024-06652

CVSS3: 6.1
fstec
почти 2 года назад

Уязвимость компонента Active Storage программной платформы Ruby on Rails, связанная с раскрытием конфиденциальной информации неавторизованному лицу, позволяющая нарушителю получить конфиденциальную информацию

EPSS

Процентиль: 84%
0.02313
Низкий