CI: bundle-audit: Ignore CVE-2020-8184 (!342) · Merge requests · schleuder / schleuder

georg requested to merge bundle-audit-ignore-CVE-2020-8184 into master Jun 16, 2020

Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using an arbitrary cookie write by using URL encoding (percent-encoding) on the name of the cookie. This could result in an application that is dependent on this prefix to determine if a cookie is safe to process being manipulated into processing an insecure or cross-origin request. This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4

Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process

Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Edited Jun 16, 2020 by georg

CI: bundle-audit: Ignore CVE-2020-8184

Merge request reports