Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2008-7311
Vulnerability from gsd - Updated: 2008-08-12 00:00Details
Spree contains a hardcoded flaw related to the
config.action_controller_session hash value. This may allow an attacker to
more easily bypass cryptographic protection.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2008-7311",
"description": "The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.",
"id": "GSD-2008-7311"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "spree",
"purl": "pkg:gem/spree"
}
}
],
"aliases": [
"CVE-2008-7311",
"OSVDB-81506"
],
"details": "Spree contains a hardcoded flaw related to the\nconfig.action_controller_session hash value. This may allow an attacker to\nmore easily bypass cryptographic protection.\n",
"id": "GSD-2008-7311",
"modified": "2008-08-12T00:00:00.000Z",
"published": "2008-08-12T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://spreecommerce.com/blog/security-vulernability-session-cookie-store"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 5.0,
"type": "CVSS_V2"
}
],
"summary": "Spree Hardcoded config.action_controller_session Hash Value Cryptographic\nProtection Weakness\n"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7311",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://support.spreehq.org/issues/show/63",
"refsource": "CONFIRM",
"url": "http://support.spreehq.org/issues/show/63"
},
{
"name": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/",
"refsource": "CONFIRM",
"url": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2008-7311",
"cvss_v2": 5.0,
"date": "2008-08-12",
"description": "Spree contains a hardcoded flaw related to the\nconfig.action_controller_session hash value. This may allow an attacker to\nmore easily bypass cryptographic protection.\n",
"gem": "spree",
"osvdb": 81506,
"patched_versions": [
"\u003e= 0.3.0"
],
"title": "Spree Hardcoded config.action_controller_session Hash Value Cryptographic\nProtection Weakness\n",
"url": "https://spreecommerce.com/blog/security-vulernability-session-cookie-store"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "=0.2.0",
"affected_versions": "Version 0.2.0",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2012-04-12",
"description": "The session cookie store implementation in Spree uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file.",
"fixed_versions": [
"0.4.0"
],
"identifier": "CVE-2008-7311",
"identifiers": [
"CVE-2008-7311"
],
"not_impacted": "All versions before 0.2.0, all versions after 0.2.0",
"package_slug": "gem/spree",
"pubdate": "2012-04-05",
"solution": "Upgrade to version 0.4.0 or above.",
"title": "Credentials Management Errors",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2008-7311",
"http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/",
"http://support.spreehq.org/issues/show/63"
],
"uuid": "1e2ced75-4029-4d4e-9be7-02e465576f5f"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:spreecommerce:spree:0.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2008-7311"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The session cookie store implementation in Spree 0.2.0 uses a hardcoded config.action_controller_session hash value (aka secret key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging an application that contains this value within the config/environment.rb file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-255"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "http://spreecommerce.com/blog/2008/08/12/security-vulernability-session-cookie-store/"
},
{
"name": "http://support.spreehq.org/issues/show/63",
"refsource": "CONFIRM",
"tags": [],
"url": "http://support.spreehq.org/issues/show/63"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2012-04-12T04:00Z",
"publishedDate": "2012-04-05T13:25Z"
}
}
}