GSD-2022-31033

Vulnerability from gsd - Updated: 2022-06-09 00:00
Details
**Summary** Mechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a redirect to a different port on the same site. **Mitigation** Upgrade to Mechanize v2.8.5 or later. **Notes** See [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl. Cookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part: > Cookies do not provide isolation by port. If a cookie is readable > by a service running on one port, the cookie is also readable by a > service running on another port of the same server. If a cookie is > writable by a service on one port, the cookie is also writable by a > service running on another port of the same server. For this > reason, servers SHOULD NOT both run mutually distrusting services on > different ports of the same host and use cookies to store security- > sensitive information.
Aliases
Aliases
CVE-2022-31033
To clipboard 

{
  "GSD": {
    "alias": "CVE-2022-31033",
    "description": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.",
    "id": "GSD-2022-31033"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "mechanize",
            "purl": "pkg:gem/mechanize"
          }
        }
      ],
      "aliases": [
        "CVE-2022-31033",
        "GHSA-64qm-hrgp-pgr9"
      ],
      "details": "**Summary**\n\nMechanize (rubygem) `\u003c v2.8.5` leaks the `Authorization` header after a\nredirect to a different port on the same site.\n\n**Mitigation**\n\nUpgrade to Mechanize v2.8.5 or later.\n\n**Notes**\n\nSee [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.\n\nCookies are shared with a server at a different port on the same site, per\nhttps://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:\n\n\u003e Cookies do not provide isolation by port.  If a cookie is readable\n\u003e by a service running on one port, the cookie is also readable by a\n\u003e service running on another port of the same server.  If a cookie is\n\u003e writable by a service on one port, the cookie is also writable by a\n\u003e service running on another port of the same server.  For this\n\u003e reason, servers SHOULD NOT both run mutually distrusting services on\n\u003e different ports of the same host and use cookies to store security-\n\u003e sensitive information.\n",
      "id": "GSD-2022-31033",
      "modified": "2022-06-09T00:00:00.000Z",
      "published": "2022-06-09T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
        },
        {
          "type": "WEB",
          "url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 5.9,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Authorization header leak on port redirect in mechanize"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2022-31033",
        "STATE": "PUBLIC",
        "TITLE": "Authorization header leak in rubygem Mechanize"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "mechanize",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 2.8.5"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "sparklemotion"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9",
            "refsource": "CONFIRM",
            "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
          },
          {
            "name": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317",
            "refsource": "MISC",
            "url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
          },
          {
            "name": "FEDORA-2022-fda14723ec",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
          },
          {
            "name": "FEDORA-2022-6b1b324753",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-64qm-hrgp-pgr9",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2022-31033",
      "cvss_v3": 5.9,
      "date": "2022-06-09",
      "description": "**Summary**\n\nMechanize (rubygem) `\u003c v2.8.5` leaks the `Authorization` header after a\nredirect to a different port on the same site.\n\n**Mitigation**\n\nUpgrade to Mechanize v2.8.5 or later.\n\n**Notes**\n\nSee [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl.\n\nCookies are shared with a server at a different port on the same site, per\nhttps://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part:\n\n\u003e Cookies do not provide isolation by port.  If a cookie is readable\n\u003e by a service running on one port, the cookie is also readable by a\n\u003e service running on another port of the same server.  If a cookie is\n\u003e writable by a service on one port, the cookie is also writable by a\n\u003e service running on another port of the same server.  For this\n\u003e reason, servers SHOULD NOT both run mutually distrusting services on\n\u003e different ports of the same host and use cookies to store security-\n\u003e sensitive information.\n",
      "gem": "mechanize",
      "ghsa": "64qm-hrgp-pgr9",
      "patched_versions": [
        "\u003e= 2.8.5"
      ],
      "related": {
        "url": [
          "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
        ]
      },
      "title": "Authorization header leak on port redirect in mechanize",
      "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c2.8.5",
          "affected_versions": "All versions before 2.8.5",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-200",
            "CWE-937"
          ],
          "date": "2022-11-29",
          "description": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue.",
          "fixed_versions": [
            "2.8.5"
          ],
          "identifier": "CVE-2022-31033",
          "identifiers": [
            "CVE-2022-31033",
            "GHSA-64qm-hrgp-pgr9"
          ],
          "not_impacted": "All versions starting from 2.8.5",
          "package_slug": "gem/mechanize",
          "pubdate": "2022-06-09",
          "solution": "Upgrade to version 2.8.5 or above.",
          "title": "Authorization header leak on port redirect in mechanize",
          "urls": [
            "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9",
            "https://github.com/advisories/GHSA-64qm-hrgp-pgr9"
          ],
          "uuid": "f05bb879-cef1-4112-b68b-254bc2f2e8a6"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:mechanize_project:mechanize:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.8.5",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2022-31033"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Mechanize library is used for automating interaction with websites. Mechanize automatically stores and sends cookies, follows redirects, and can follow links and submit forms. In versions prior to 2.8.5 the Authorization header is leaked after a redirect to a different port on the same site. Users are advised to upgrade to Mechanize v2.8.5 or later. There are no known workarounds for this issue."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-200"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/security/advisories/GHSA-64qm-hrgp-pgr9"
            },
            {
              "name": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/sparklemotion/mechanize/commit/c7fe6996a5b95f9880653ba3bc548a8d4ef72317"
            },
            {
              "name": "FEDORA-2022-6b1b324753",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7OKZMR5O3T5HQ2V737TC7IU4WZRT2LGX/"
            },
            {
              "name": "FEDORA-2022-fda14723ec",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OA2FJROTX2U6EBWDPKRQ2VAM67A5TQXF/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2022-11-29T16:55Z",
      "publishedDate": "2022-06-09T20:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.