Bug 1205291 (CVE-2015-1820)
| Summary: | CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | abaron, abrody, aortega, apatters, apevec, ayoung, bbuckingham, bcourt, bhu, bkearney, bleanhar, btotty, cbillett, ccoleman, chrisw, cpelland, cperry, dajohnso, dallan, dclarizi, dmcphers, esammons, gkotton, gmccullo, hhudgeon, iboverma, jdetiber, jhardy, jialiu, jkeck, joelsmith, jokerman, jprause, jrafanie, jross, jrusnack, jvlcek, katello-bugs, kseifried, lhh, lmeyer, lpeer, lzap, markmc, matt, mburns, mcressma, mfojtik, mmccomas, mmccune, mrg-program-list, nmoumoul, obarenbo, ohadlevy, rbryant, rchan, rhos-maint, rjerrido, sclewis, sokeeffe, tbielawa, tdawson, tjay, tomckay, williams, xlecauch, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | rest-client 1.8.0 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-04-30 08:38:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1205294, 1205295, 1205296, 1205297, 1205298, 1865809 | ||
| Bug Blocks: | 1205299 | ||
|
Description
Vasyl Kaigorodov
2015-03-24 16:11:40 UTC
Created rubygem-rest-client tracking bugs for this issue: Affects: fedora-all [bug 1205294] Upstream patch: https://github.com/rest-client/rest-client/commit/c215b22bdbcb988dcc40117ff45432b0db25175b The full patch is three commits: https://github.com/rest-client/rest-client/pull/365.patch There are two ways this issue can be exploited: - If you are the redirection source (i.e. you can make rest-client hit your URL), you can make rest-client perform a request to any third-party domain with cookies of your choosing. This may be useful in performing a session fixation attack. This means vulnerable product we ship must make request to malicious site (to get fixated cookie) AND upon getting redirect log in to the victim site (using attacker supplied cookie) AND we assume the product uses cookies to authenticate with victim site AND that victim site does not reset session after login (i.e. is vulnerable to session fixation). - If you are the redirection target (i.e. you can make a third-party site redirect to your URL), you can steal any cookies set by the third-party redirection. This means vulnerable product we ship must make a request to vulnerable site AND attacker must arrange vulnerable site redirects to his malicious one AND we assume the product uses cookies to authenticate with victim site. Based on the above analysis, the security implications of this issue are quite minimal. |