CVE-2021-41263

Name of the Vulnerable Software and Affected Versions rails multisite versions prior to 4

Description The issue impacts Rails applications using rails multisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application.

Recommendations For versions prior to 4, upgrade to v4 of the rails multisite gem. Note that this upgrade will invalidate all previous signed/encrypted cookies, and the impact of this invalidation will vary based on the application architecture. As a temporary workaround, consider restricting access to signed/encrypted cookies until the upgrade is applied.