Name of the Vulnerable Software and Affected Versions hawk2 versions prior to 2.6.4+git.1702030539.5fb7d91b

Description The issue concerns the hawk2 software, where several problems have been fixed, including the setting of the HttpOnly secure flag by default and the protection against CSRF in errors controller.rb. Additionally, issues with mime types in MS Windows, CORS Access-Control-Allow-Origin header parametrization, and tests for ruby3.2 have been addressed. The sass-rails version on ~5.0 has been fixed, and private key deletion when the public key is missing has been prevented. A patch for backwards compatibility with sle155 has also been applied.

Recommendations Update to version 2.6.4+git.1702030539.5fb7d91b or later to fix the issues, including the HttpOnly secure flag and CSRF protection. As a temporary workaround, consider restricting access to the errors controller.rb until the update is applied.