Home > Vulnerability Database > CVE-2024-26144

Mend.io Vulnerability Database

CVE-2024-26144

Good to know:

Date: February 27, 2024

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Language: Ruby

Severity Score

5.3

Related Resources (8)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-26144

Url: https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g

Url: https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml

Url: https://security-tracker.debian.org/tracker/CVE-2024-26144

Url: https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433

Url: https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945

Url: https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3

Url: https://www.mend.io/vulnerability-database/CVE-2024-26144

Severity Score

5.3

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Top Fix

Upgrade Version

Upgrade to version rails - 6.1.7.7,7.0.8.1

Learn More

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-26144

Good to know:

Date: February 27, 2024

Language: Ruby

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?