Bug 1849141 (CVE-2020-8184) - CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
Summary: CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-8184
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1849143 1839028 1849142 1849674 1849845 1850911 1910700
Blocks: 1849144
TreeView+ depends on / blocked
 
Reported: 2020-06-19 16:54 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-12-14 18:47 UTC (History)
42 users (show)

Fixed In Version: rubygem-rack 2.1.4, rubygem-rack 2.2.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in rubygem-rack. An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application. The highest threat from this vulnerability is to data integrity.
Clone Of:
Environment:
Last Closed: 2020-10-27 14:21:50 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4366 0 None None None 2020-10-27 12:57:13 UTC

Description Guilherme de Almeida Suckevicz 2020-06-19 16:54:45 UTC
An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application.

Reference:
https://groups.google.com/forum/#!msg/rubyonrails-security/OWtmozPH9Ak/4m00yHPCBAAJ

Comment 1 Guilherme de Almeida Suckevicz 2020-06-19 16:55:13 UTC
Created rubygem-rack tracking bugs for this issue:

Affects: epel-all [bug 1849143]
Affects: fedora-all [bug 1849142]

Comment 2 Yadnyawalk Tale 2020-06-22 04:21:01 UTC
External References:

https://groups.google.com/forum/#!msg/rubyonrails-security/OWtmozPH9Ak/4m00yHPCBAAJ

Comment 3 Yadnyawalk Tale 2020-06-22 07:26:02 UTC
* HackerOne report: https://hackerone.com/reports/895727
* Cookie RFC: https://www.ietf.org/rfc/rfc2965.txt
* Initial idea of Magic-cookies aka cookie prefixes: https://textslashplain.com/2015/10/09/duct-tape-and-baling-wirecookie-prefixes/
* Idea to proposal; allowed prefix pattern: https://tools.ietf.org/html/draft-west-cookie-prefixes-05#section-3

   Set-Cookie: __Secure-SID=12345; Secure; Domain=example.com
   Set-Cookie: __Host-SID=12345; Secure; Domain=example.com; Path=/

The flaw in Rack allows __%48ost- or __%53ecure- or custom cookie to be set without HTTPS/root domain/secure page flag. With this escape, an attacker could set this cookie from a subdomain and have it apply to the root domain.

Comment 4 Yadnyawalk Tale 2020-06-22 07:27:03 UTC
Upstream fix: https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c

Comment 15 amctagga 2020-06-30 14:21:35 UTC
Statement:

Because Red Hat OpenStack Platform 13.0 Operational Tools packages ships the flawed code, but does not use its functionality, its Impact has been reduced to 'Low'.

Red Hat Satellite 6 and Red Hat CloudForms ship affected RubyGem Rack, however, since overwriting cookies is not possible products are not vulnerable to the flaw. We may update the Rack dependency in a future releases. 

Red Hat Gluster Storage 3 ships RubyGem Rack, but the version shipped does not contain the affected code. Therefore, it is impossible to overwrite cookies using this particular flaw.

Comment 16 errata-xmlrpc 2020-10-27 12:57:23 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.7 for RHEL 8

Via RHSA-2020:4366 https://access.redhat.com/errata/RHSA-2020:4366

Comment 17 Product Security DevOps Team 2020-10-27 14:21:50 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-8184


Note You need to log in before you can comment on or make changes to this bug.