Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By
default, Active Storage sends a Set-Cookie header along with the user's
session cookie when serving blobs. It also sets Cache-Control to public.
Certain proxies may cache the Set-Cookie, leading to an information leak.
This vulnerability has been assigned the CVE identifier CVE-2024-26144.
rails/rails (rails)
### [`v6.1.7.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7.7): 6.1.7.7
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.6...v6.1.7.7)
#### Active Support
- No changes.
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- Disables the session in `ActiveStorage::Blobs::ProxyController`
and `ActiveStorage::Representations::ProxyController`
in order to allow caching by default in some CDNs as CloudFlare
Fixes [#44136](https://togithub.com/rails/rails/issues/44136)
*Bruno Prieto*
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
### [`v6.1.7.6`](https://togithub.com/rails/rails/releases/tag/v6.1.7.6)
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.5...v6.1.7.6)
No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release.
### [`v6.1.7.5`](https://togithub.com/rails/rails/releases/tag/v6.1.7.5): 6.1.7.5 Release
[Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.4...v6.1.7.5)
#### Active Support
- Use a temporary file for storing unencrypted files while editing
\[CVE-2023-38037]
#### Active Model
- No changes.
#### Active Record
- No changes.
#### Action View
- No changes.
#### Action Pack
- No changes.
#### Active Job
- No changes.
#### Action Mailer
- No changes.
#### Action Cable
- No changes.
#### Active Storage
- No changes.
#### Action Mailbox
- No changes.
#### Action Text
- No changes.
#### Railties
- No changes.
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
6.1.7.4->6.1.7.7GitHub Vulnerability Alerts
CVE-2024-26144
Possible Sensitive Session Information Leak in Active Storage
There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a
Set-Cookieheader along with the user's session cookie when serving blobs. It also setsCache-Controlto public. Certain proxies may cache the Set-Cookie, leading to an information leak.This vulnerability has been assigned the CVE identifier CVE-2024-26144.
Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7
Impact
A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa.
This was patched in 7.1.0 but not previously identified as a security vulnerability.
All users running an affected release should either upgrade or use one of the workarounds immediately.
Releases
The fixed releases are available at the normal locations.
Workarounds
Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers.
Credits
Thanks to tyage for reporting this!
Release Notes
rails/rails (rails)
### [`v6.1.7.7`](https://togithub.com/rails/rails/releases/tag/v6.1.7.7): 6.1.7.7 [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.6...v6.1.7.7) #### Active Support - No changes. #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - Disables the session in `ActiveStorage::Blobs::ProxyController` and `ActiveStorage::Representations::ProxyController` in order to allow caching by default in some CDNs as CloudFlare Fixes [#44136](https://togithub.com/rails/rails/issues/44136) *Bruno Prieto* #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes. ### [`v6.1.7.6`](https://togithub.com/rails/rails/releases/tag/v6.1.7.6) [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.5...v6.1.7.6) No changes between this and 6.1.7.5. This release was just to fix file permissions in the previous release. ### [`v6.1.7.5`](https://togithub.com/rails/rails/releases/tag/v6.1.7.5): 6.1.7.5 Release [Compare Source](https://togithub.com/rails/rails/compare/v6.1.7.4...v6.1.7.5) #### Active Support - Use a temporary file for storing unencrypted files while editing \[CVE-2023-38037] #### Active Model - No changes. #### Active Record - No changes. #### Action View - No changes. #### Action Pack - No changes. #### Active Job - No changes. #### Action Mailer - No changes. #### Action Cable - No changes. #### Active Storage - No changes. #### Action Mailbox - No changes. #### Action Text - No changes. #### Railties - No changes.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.