Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Possible Sensitive Session Information Leak in Active Storage
Vulnerability Description
Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
信息暴露
Vulnerability Title
Active Storage 安全漏洞
Vulnerability Description
Active Storage是一款用于将文件上传到多种云存储服务,并将文件附加到Active Record对象的插件。 Rails Active Storage 存在安全漏洞,该漏洞源于Active Storage 在提供 blob 时会发送Set-Cookie标头以及用户的会话 cookie,并将Cache-Control设置为公开,导致敏感会话信息泄露。
CVSS Information
N/A
Vulnerability Type
N/A