Percent-encoded cookies can be used to overwrite existing prefixed
cookie names

It is possible to forge a secure or host-only cookie prefix in Rack
using an arbitrary cookie write by using URL encoding (percent-encoding)
on the name of the cookie. This could result in an application that is
dependent on this prefix to determine if a cookie is safe to process
being manipulated into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected:  rack < 2.2.3, rack < 2.1.4
Not affected:       Applications which do not rely on __Host- and
                    __Secure- prefixes to determine if a cookie is safe
                    to process
Fixed Versions:     rack >= 2.2.3, rack >= 2.1.4