Homepage
About Snyk

Exposure of Data Element to Wrong Session Affecting actionpack package, versions >=5.2.0, <6.1.7.7 >=7.0.0, <7.0.8.1

Severity

 Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.04% (12th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-6274388
  • published 25 Feb 2024
  • disclosed 24 Feb 2024
  • credit tyage
Report a new vulnerability Found a mistake?

Introduced: 24 Feb 2024

CVE-2024-26144 Open this link in a new tab
CWE-488 Open this link in a new tab

How to fix?

Upgrade actionpack to version 6.1.7.7, 7.0.8.1 or higher.

Overview

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session due to the default behavior of sending a Set-Cookie header along with the user's session cookie when serving blobs and setting Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. An attacker can exploit this behavior to cause users to share sessions.

Workaround

This vulnerability can be avoided by configuring caching proxies not to cache Set-Cookie headers.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
7.5 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

Red Hat

5.3 medium