Verified Commit 008cff32 authored by georg's avatar georg

CI: bundle-audit: Ignore CVE-2020-8184

Percent-encoded cookies can be used to overwrite existing prefixed
cookie names

It is possible to forge a secure or host-only cookie prefix in Rack
using an arbitrary cookie write by using URL encoding (percent-encoding)
on the name of the cookie. This could result in an application that is
dependent on this prefix to determine if a cookie is safe to process
being manipulated into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected:  rack < 2.2.3, rack < 2.1.4
Not affected:       Applications which do not rely on __Host- and
                    __Secure- prefixes to determine if a cookie is safe
                    to process
Fixed Versions:     rack >= 2.2.3, rack >= 2.1.4
parent abcd0ca2
Pipeline #41320 passed with stages
in 15 minutes and 18 seconds
......@@ -123,7 +123,7 @@ bundler:audit:
- gem install bundler-audit --no-document
- bundle install --jobs $(nproc) --path vendor
- bundle-audit update
- bundle-audit check --ignore CVE-2020-8161 CVE-2020-8165
- bundle-audit check --ignore CVE-2020-8161 CVE-2020-8165 CVE-2020-8184
stage: debian:build
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment