-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2022-31033.yml
38 lines (31 loc) · 1.36 KB
/
CVE-2022-31033.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
---
gem: mechanize
cve: 2022-31033
ghsa: 64qm-hrgp-pgr9
url: https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9
title: Authorization header leak on port redirect in mechanize
date: 2022-06-09
description: |
**Summary**
Mechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a
redirect to a different port on the same site.
**Mitigation**
Upgrade to Mechanize v2.8.5 or later.
**Notes**
See [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.
Cookies are shared with a server at a different port on the same site, per
https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:
> Cookies do not provide isolation by port. If a cookie is readable
> by a service running on one port, the cookie is also readable by a
> service running on another port of the same server. If a cookie is
> writable by a service on one port, the cookie is also writable by a
> service running on another port of the same server. For this
> reason, servers SHOULD NOT both run mutually distrusting services on
> different ports of the same host and use cookies to store security-
> sensitive information.
cvss_v3: 5.9
patched_versions:
- ">= 2.8.5"
related:
url:
- https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317