Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2015-1820
Vulnerability from gsd - Updated: 2015-03-24 00:00Details
REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.
Aliases
{
"GSD": {
"alias": "CVE-2015-1820",
"description": "REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.",
"id": "GSD-2015-1820",
"references": [
"https://www.suse.com/security/cve/CVE-2015-1820.html",
"https://access.redhat.com/errata/RHSA-2021:1313",
"https://access.redhat.com/errata/RHBA-2015:1100",
"https://advisories.mageia.org/CVE-2015-1820.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rest-client",
"purl": "pkg:gem/rest-client"
}
}
],
"aliases": [
"CVE-2015-1820",
"OSVDB-119878",
"GHSA-3fhf-6939-qg8p"
],
"details": "REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.",
"id": "GSD-2015-1820",
"modified": "2015-03-24T00:00:00.000Z",
"published": "2015-03-24T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rest-client/rest-client/issues/369"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.8,
"type": "CVSS_V3"
}
],
"summary": "CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1820",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rest-client/rest-client/issues/369",
"refsource": "CONFIRM",
"url": "https://github.com/rest-client/rest-client/issues/369"
},
{
"name": "73295",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/73295"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1205291",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205291"
},
{
"name": "[oss-security] 20150323 CVE-2015-1820: ruby rest-client session fixation vulnerability",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2015/03/24/3"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2015-1820",
"cvss_v3": 9.8,
"date": "2015-03-24",
"description": "REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect.",
"gem": "rest-client",
"ghsa": "3fhf-6939-qg8p",
"osvdb": 119878,
"patched_versions": [
"\u003e= 1.8.0"
],
"title": "CVE-2015-1820 rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses",
"unaffected_versions": [
"\u003c= 1.6.0"
],
"url": "https://github.com/rest-client/rest-client/issues/369"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=1.6.1 \u003c1.8.0",
"affected_versions": "All versions starting from 1.6.1 before 1.8.0",
"credit": "Andy Brody - Stripe",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-384",
"CWE-937"
],
"date": "2017-08-21",
"description": "The package rest-client in `abstract_response.rb` improperly handles `Set-Cookie` headers on HTTP redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal any cookies set by the third-party redirection request.",
"fixed_versions": [
"1.8.0"
],
"identifier": "CVE-2015-1820",
"identifiers": [
"CVE-2015-1820"
],
"not_impacted": "All versions before 1.6.1, all versions starting from 1.8.0",
"package_slug": "gem/rest-client",
"pubdate": "2017-08-09",
"solution": "Upgrade to version 1.8.0 or above.",
"title": "Session fixation vulnerability via Set-Cookie headers",
"urls": [
"https://github.com/rest-client/rest-client/issues/369"
],
"uuid": "19699d7d-61c9-455c-bff9-00120e1e51dc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rest-client_project:rest-client:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "1.7.3",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2015-1820"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "REST client for Ruby (aka rest-client) before 1.8.0 allows remote attackers to conduct session fixation attacks or obtain sensitive cookie information by leveraging passage of cookies set in a response to a redirect."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-384"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rest-client/rest-client/issues/369",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/rest-client/rest-client/issues/369"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1205291",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Patch",
"Third Party Advisory",
"VDB Entry"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1205291"
},
{
"name": "73295",
"refsource": "BID",
"tags": [
"Third Party Advisory",
"VDB Entry"
],
"url": "http://www.securityfocus.com/bid/73295"
},
{
"name": "[oss-security] 20150323 CVE-2015-1820: ruby rest-client session fixation vulnerability",
"refsource": "MLIST",
"tags": [
"Mailing List",
"VDB Entry"
],
"url": "http://www.openwall.com/lists/oss-security/2015/03/24/3"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": true,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2017-08-21T16:34Z",
"publishedDate": "2017-08-09T18:29Z"
}
}
}