Added CVE-2024-26144 for actionpack (issue #751).

rubysec · Feb 24, 2024 · 95316e8 · 95316e8
1 parent a769a2e
commit 95316e8
Showing 1 changed file with 43 additions and 0 deletions.
diff --git a/gems/actionpack/CVE-2024-26144.yml b/gems/actionpack/CVE-2024-26144.yml
@@ -0,0 +1,43 @@
+---
+gem: actionpack
+framework: rails
+cve: 2024-26144
+url: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
+title: Possible Sensitive Session Information Leak in Active Storage
+date: 2024-02-21
+description: |
+  There is a possible sensitive session information leak in Active Storage.
+  By default, Active Storage sends a `Set-Cookie` header along with the user’s
+  session cookie when serving blobs. It also sets `Cache-Control` to public.
+  Certain proxies may cache the `Set-Cookie`, leading to an information leak.
+
+  This vulnerability has been assigned the CVE identifier CVE-2024-26144.
+
+  Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7
+
+  # Impact
+
+  A proxy which chooses to caches this request can cause users to share
+  sessions. This may include a user receiving an attacker’s session or vice
+  versa.
+
+  This was patched in 7.1.0 but not previously identified as a security
+  vulnerability.
+
+  All users running an affected release should either upgrade or use one of the
+  workarounds immediately.
+
+  # Releases
+
+  The fixed releases are available at the normal locations.
+
+  # Workarounds
+
+  Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
+  `Set-Cookie` headers.
+unaffected_versions:
+  - "< 5.2.0"
+  - ">= 7.1.0"
+patched_versions:
+  - "~> 6.1.7, >= 6.1.7.7"
+  - ">= 7.0.8.1"