Описание
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
A flaw was found in Rack::Session. This vulnerability allows an attacker to maintain unauthorized access to a user's session by triggering a long-running request after the user logs out.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/fluentd-rhel8 | Fix deferred | ||
| Logging Subsystem for Red Hat OpenShift | openshift-logging/fluentd-rhel9 | Fix deferred | ||
| Red Hat 3scale API Management Platform 2 | 3scale-amp2/zync-rhel8 | Fix deferred | ||
| Red Hat 3scale API Management Platform 2 | 3scale-amp2/zync-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux 7 | pcs | Fix deferred | ||
| Red Hat Enterprise Linux 8 | pcs | Fix deferred | ||
| Red Hat Enterprise Linux 9 | pcs | Fix deferred | ||
| Red Hat Satellite 6 | rubygem-rack | Fix deferred | ||
| Red Hat Satellite 6 | satellite-capsule:el8/rubygem-rack | Fix deferred | ||
| Red Hat Satellite 6 | satellite:el8/rubygem-rack | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
4.2 Medium
CVSS3
Связанные уязвимости
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
Rack::Session is a session management implementation for Rack. In vers ...
EPSS
4.2 Medium
CVSS3