Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-26144

Опубликовано: 25 фев. 2024
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

A flaw was found in Active Storage that may lead to a sensitive session information leak. By default, Active Storage sends a Set-Cookie header along with the user’s session cookie when serving blobs and sets Cache-Control to public. Certain proxies may cache Set-Cookie, leading to an information leak.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat 3scale API Management Platform 23scale-amp-system-containerAffected
Red Hat 3scale API Management Platform 23scale-amp-zync-containerAffected
Red Hat Satellite 6.15 for RHEL 8rubygem-activestorageFixedRHSA-2024:1080604.12.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2266063rubygem-activestorage: Possible Sensitive Session Information Leak in Active Storage

EPSS

Процентиль: 82%
0.01861
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-26144

CVSS3: 5.3
ubuntu
больше 1 года назад

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

nvd логотип

CVE-2024-26144

CVSS3: 5.3
nvd
больше 1 года назад

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

debian логотип

CVE-2024-26144

CVSS3: 5.3
debian
больше 1 года назад

Rails is a web-application framework. Starting with version 5.2.0, the ...

github логотип

GHSA-8h22-8cf7-hq6g

CVSS3: 5.3
github
больше 1 года назад

Rails has possible Sensitive Session Information Leak in Active Storage

fstec логотип

BDU:2024-06652

CVSS3: 6.1
fstec
больше 1 года назад

Уязвимость компонента Active Storage программной платформы Ruby on Rails, связанная с раскрытием конфиденциальной информации неавторизованному лицу, позволяющая нарушителю получить конфиденциальную информацию

EPSS

Процентиль: 82%
0.01861
Низкий

5.3 Medium

CVSS3