Bug 1220525 (CVE-2024-26144) - VUL-0: CVE-2024-26144: rubygem-rails-4_2,rubygem-rails-5_1: rubygem-activestorage: Possible Sensitive Session Information Leak in Active Storage
Summary: VUL-0: CVE-2024-26144: rubygem-rails-4_2,rubygem-rails-5_1: rubygem-activesto...
Status: NEW
Alias: CVE-2024-26144
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Dan Čermák
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/395117/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-26144:7.5:(AV:...
Keywords:
Depends on:
Blocks:
 
Reported: 2024-02-28 09:12 UTC by SMASH SMASH
Modified: 2024-02-28 09:15 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2024-02-28 09:12:12 UTC 
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26144
https://bugzilla.redhat.com/show_bug.cgi?id=2266063
https://www.cve.org/CVERecord?id=CVE-2024-26144
https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945
https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml

Patch:
https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
Comment 1 Andrea Mattiazzo 2024-02-28 09:13:19 UTC 
Tracking as affected:
-openSUSE:Factory/rubygem-activestorage-7.0
-openSUSE:Factory/rubygem-rails-7.0