Homepage
About Snyk

Exposure of Data Element to Wrong Session Affecting actionpack package, versions >=5.2.0, <6.1.7.7 >=7.0.0, <7.0.8.1

0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.05% (15th percentile)
Expand this section
Red Hat
5.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-ACTIONPACK-6274388
  • published 25 Feb 2024
  • disclosed 24 Feb 2024
  • credit tyage
Report a new vulnerability Found a mistake?

Introduced: 24 Feb 2024

CVE-2024-26144 Open this link in a new tab
CWE-488 Open this link in a new tab

How to fix?

Upgrade actionpack to version 6.1.7.7, 7.0.8.1 or higher.

Overview

Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session due to the default behavior of sending a Set-Cookie header along with the user's session cookie when serving blobs and setting Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. An attacker can exploit this behavior to cause users to share sessions.

Workaround

This vulnerability can be avoided by configuring caching proxies not to cache Set-Cookie headers.