PT-2007-6979 · Ruby · Ruby On Rails

Published

2007-11-21

Updated

2019-08-08

CVE-2007-6077

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:M/Au:N/C:P/I:P/A:P

Name of the Vulnerable Software and Affected Versions Ruby on Rails version 1.2.4

Description The session fixation protection mechanism in Ruby on Rails has an issue that allows remote attackers to conduct session fixation attacks. This is due to an incomplete fix for a previous issue, which causes the :cookie only attribute to be applied only to the first instantiation of CgiRequest.

Recommendations For Ruby on Rails version 1.2.4, consider applying a complete fix to the session fixation protection mechanism to prevent remote attackers from conducting session fixation attacks. As a temporary workaround, consider restricting access to sensitive areas of the application that rely on session fixation protection until a complete fix is applied.

Exploit

Fix

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362

Related Identifiers

CVE-2007-6077

GHSA-P4C6-77GC-694X

Affected Products

Ruby On Rails

PT-2007-6979 · Ruby · Ruby On Rails

CVE-2007-6077

Weakness Enumeration

Related Identifiers

Affected Products

References · 20