Bug 1220525 (CVE-2024-26144)

Summary: VUL-0: CVE-2024-26144: rubygem-rails-4_2,rubygem-rails-5_1: rubygem-activestorage: Possible Sensitive Session Information Leak in Active Storage
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Dan Čermák <dcermak>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: andrea.mattiazzo
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/395117/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26144:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-02-28 09:12:12 UTC 
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26144
https://bugzilla.redhat.com/show_bug.cgi?id=2266063
https://www.cve.org/CVERecord?id=CVE-2024-26144
https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml

Patch:
https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
Comment 1 Andrea Mattiazzo 2024-02-28 09:13:19 UTC 
Tracking as affected:
-openSUSE:Factory/rubygem-activestorage-7.0
-openSUSE:Factory/rubygem-rails-7.0