• georg's avatar
    CI: bundle-audit: Ignore CVE-2020-8184 · 008cff32
    georg authored
    Percent-encoded cookies can be used to overwrite existing prefixed
    cookie names
    
    It is possible to forge a secure or host-only cookie prefix in Rack
    using an arbitrary cookie write by using URL encoding (percent-encoding)
    on the name of the cookie. This could result in an application that is
    dependent on this prefix to determine if a cookie is safe to process
    being manipulated into processing an insecure or cross-origin request.
    This vulnerability has been assigned the CVE identifier CVE-2020-8184.
    
    Versions Affected:  rack < 2.2.3, rack < 2.1.4
    Not affected:       Applications which do not rely on __Host- and
                        __Secure- prefixes to determine if a cookie is safe
                        to process
    Fixed Versions:     rack >= 2.2.3, rack >= 2.1.4
    008cff32
Validating GitLab CI configuration… Learn more