WS-2021-0407 | Mend Vulnerability Database

Vulnerability DatabaseWS-2021-0407

WS-2021-0407

February 13, 2025

rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated. Rucio server / daemons are not affected by this issue, it is isolated to the webui. This issue is fixed in the 1.26.7 release of the rucio-webui.

Related Resources (7)

https://github.com/rucio/rucio

https://github.com/rucio/rucio/security/advisories/GHSA-v988-828w-xvf2

https://github.com/rucio/rucio/issues/4810

https://github.com/rucio/rucio/commit/1dba6b57c91fd9856c59831e51a95f9e73b5815f

https://github.com/rucio/rucio/issues/4928

https://github.com/rucio/rucio/releases/tag/1.26.7

https://github.com/rucio/rucio/commit/8f832404ae88d6300e17d7e706b40fe58e0df90c

Do you need more information?

CVSS v4

Base Score:

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

PASSIVE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Weakness Type (CWE)

Authentication Bypass Using an Alternate Path or Channel

CWE-288

Authentication Bypass by Primary Weakness

CWE-305

Products

Solutions

Resources

Company

Compare

Developer Tools