GHSA-64QM-HRGP-PGR9

Vulnerability from github – Published: 2022-06-09 23:47 – Updated: 2022-07-21 14:53
VLAI?
Summary
Mechanize before v2.8.5 vulnerable to authorization header leak on port redirect
Details

Summary

Mechanize (rubygem) < v2.8.5 leaks the Authorization header after a redirect to a different port on the same site.

Mitigation

Upgrade to Mechanize v2.8.5 or later.

Notes

See https://curl.se/docs/CVE-2022-27776.html for a similar vulnerability in curl.

Cookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security- sensitive information.

Severity ?
5.9 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "mechanize"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31033"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-09T23:47:57Z",
    "nvd_published_at": "2022-06-09T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "**Summary**\n\nMechanize (rubygem) `\u003c v2.8.5` leaks the `Authorization` header after a redirect to a different port on the same site.\n\n**Mitigation**\n\nUpgrade to Mechanize v2.8.5 or later.\n\n**Notes**\n\nSee [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.\n\nCookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:\n\n\u003e Cookies do not provide isolation by port.  If a cookie is readable\n\u003e by a service running on one port, the cookie is also readable by a\n\u003e service running on another port of the same server.  If a cookie is\n\u003e writable by a service on one port, the cookie is also writable by a\n\u003e service running on another port of the same server.  For this\n\u003e reason, servers SHOULD NOT both run mutually distrusting services on\n\u003e different ports of the same host and use cookies to store security-\n\u003e sensitive information.\n",
  "id": "GHSA-64qm-hrgp-pgr9",
  "modified": "2022-07-21T14:53:46Z",
  "published": "2022-06-09T23:47:57Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31033"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/mechanize/CVE-2022-31033.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/mechanize"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Mechanize before v2.8.5 vulnerable to authorization header leak on port redirect"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.