Bug 1205291 (CVE-2015-1820) - CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses
Summary: CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie ...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2015-1820
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1205294 1205295 1205296 1205297 1205298 1865809
Blocks: 1205299
TreeView+ depends on / blocked
 
Reported: 2015-03-24 16:11 UTC by Vasyl Kaigorodov
Modified: 2021-12-14 18:47 UTC (History)
67 users (show)

Fixed In Version: rest-client 1.8.0
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-04-30 08:38:39 UTC
Embargoed:

Attachments (Terms of Use)

Description Vasyl Kaigorodov 2015-03-24 16:11:40 UTC 
The rest-client team discovered a vulnerability which
has now been fixed in rest-client 1.8.0.
https://rubygems.org/gems/rest-client/versions/1.8.0
https://github.com/rest-client/rest-client/issues/369

The problematic behavior was introduced in rest-client 1.6.1: any
Set-Cookie headers present in an HTTP 30x redirection response are
blindly sent to the redirection target, regardless of domain, path,
expiration, or secure cookie settings. All subsequent 1.6.x and 1.7.x
releases are affected.

Similarly to the issue with python-requests (CVE-2015-2296), the issue could be
exploited in the following ways:

- If you are the redirection source (i.e. you can make rest-client hit
your URL), you can make rest-client perform a request to any
third-party domain with cookies of your choosing. This may be useful
in performing a session fixation attack.
- If you are the redirection target (i.e. you can make a third-party
site redirect to your URL), you can steal any cookies set by the
third-party redirection.
Comment 3 Vasyl Kaigorodov 2015-03-24 16:15:16 UTC 
Created rubygem-rest-client tracking bugs for this issue:

Affects: fedora-all [bug 1205294]
Comment 6 Ján Rusnačko 2015-03-26 11:37:12 UTC 
Upstream patch:
https://github.com/rest-client/rest-client/commit/c215b22bdbcb988dcc40117ff45432b0db25175b
Comment 7 Andy Brody 2015-03-26 18:25:18 UTC 
The full patch is three commits:

https://github.com/rest-client/rest-client/pull/365.patch
Comment 8 Martin Prpič 2015-10-05 08:19:30 UTC 
There are two ways this issue can be exploited:

- If you are the redirection source (i.e. you can make rest-client hit
your URL), you can make rest-client perform a request to any
third-party domain with cookies of your choosing. This may be useful
in performing a session fixation attack.

This means vulnerable product we ship must make request to malicious site (to get fixated cookie) AND upon getting redirect log in to the victim site (using attacker supplied cookie) AND we assume the product uses cookies to authenticate with victim site AND that victim site does not reset session after login (i.e. is vulnerable to session fixation).

- If you are the redirection target (i.e. you can make a third-party
site redirect to your URL), you can steal any cookies set by the
third-party redirection.

This means vulnerable product we ship must make a request to vulnerable site AND attacker must arrange vulnerable site redirects to his malicious one AND we assume the product uses cookies to authenticate with victim site.

Based on the above analysis, the security implications of this issue are quite minimal.
Note You need to log in before you can comment on or make changes to this bug.