Bug 1849141 (CVE-2020-8184)
Summary: | CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | akarol, bbuckingham, bcourt, bkearney, bmidwood, btotty, dbecker, dmetzger, gmccullo, gp, gtanzill, hhudgeon, hvyas, jaruga, jfrey, jhardy, jjoyce, jschluet, lhh, lpeer, lzap, mburns, mmccune, mo, nmoumoul, obarenbo, puebele, rchan, rhel8-maint, rhos-maint, rjerrido, roliveri, ruby-packagers-sig, sclewis, simaishi, slinaber, smallamp, sokeeffe, steve.traylen, strzibny, vondruch, xlecauch |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | rubygem-rack 2.1.4, rubygem-rack 2.2.3 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in rubygem-rack. An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application. The highest threat from this vulnerability is to data integrity.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-10-27 14:21:50 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1849143, 1839028, 1849142, 1849674, 1849845, 1850911, 1910700 | ||
Bug Blocks: | 1849144 |
Description
Guilherme de Almeida Suckevicz
2020-06-19 16:54:45 UTC
Created rubygem-rack tracking bugs for this issue: Affects: epel-all [bug 1849143] Affects: fedora-all [bug 1849142] External References: https://groups.google.com/forum/#!msg/rubyonrails-security/OWtmozPH9Ak/4m00yHPCBAAJ * HackerOne report: https://hackerone.com/reports/895727 * Cookie RFC: https://www.ietf.org/rfc/rfc2965.txt * Initial idea of Magic-cookies aka cookie prefixes: https://textslashplain.com/2015/10/09/duct-tape-and-baling-wirecookie-prefixes/ * Idea to proposal; allowed prefix pattern: https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3 Set-Cookie: __Secure-SID=12345; Secure; Domain=example.com Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/ The flaw in Rack allows __%48ost- or __%53ecure- or custom cookie to be set without HTTPS/root domain/secure page flag. With this escape, an attacker could set this cookie from a subdomain and have it apply to the root domain. Statement: Because Red Hat OpenStack Platform 13.0 Operational Tools packages ships the flawed code, but does not use its functionality, its Impact has been reduced to 'Low'. Red Hat Satellite 6 and Red Hat CloudForms ship affected RubyGem Rack, however, since overwriting cookies is not possible products are not vulnerable to the flaw. We may update the Rack dependency in a future releases. Red Hat Gluster Storage 3 ships RubyGem Rack, but the version shipped does not contain the affected code. Therefore, it is impossible to overwrite cookies using this particular flaw. This issue has been addressed in the following products: Red Hat Satellite 6.7 for RHEL 8 Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8184 |