Ruby on Rails < 1.2.6 Cookie Related Session Fixation

medium Nessus Network Monitor Plugin ID 4299

Synopsis

The remote server can be used to attack user authentication data.

Description

The remote server is running the Ruby on Rails web application.
This version of Rails is reported to be vulnerable to a flaw in the way that it handles authentication data. Allegedly, the 'lib/action_controller/cgi_process.rb' script is vulnerable to a flaw that would allow an attacker to steal cookie data. An attacker could then use this data to gain access to the application with the user's credentials.

Solution

Upgrade to version 1.2.6 or higher.

Plugin Details

Severity: Medium

ID: 4299

Family: Web Servers

Published: 11/27/2007

Updated: 3/6/2019

Risk Information

VPR

Risk Factor: Medium

Score: 4.7

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:rubyonrails:ruby_on_rails

Reference Information

CVE: CVE-2007-6077

BID: 26598

Detections

Analytics

Ruby on Rails < 1.2.6 Cookie Related Session Fixation

medium Nessus Network Monitor Plugin ID 4299

Synopsis

Description

Solution

Plugin Details

Risk Information

VPR

CVSS v2

CVSS v3

Vulnerability Information

Reference Information