6.8

CVE-2007-6077

The session fixation protection mechanism in cgi_process.rb in Rails 1.2.4, as used in Ruby on Rails, removes the :cookie_only attribute from the DEFAULT_SESSION_OPTIONS constant, which effectively causes cookie_only to be applied only to the first instantiation of CgiRequest, which allows remote attackers to conduct session fixation attacks.  NOTE: this is due to an incomplete fix for CVE-2007-5380.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
   RubyonrailsRails Version1.2.4
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.51% 0.827
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

http://docs.info.apple.com/article.html?artnum=307179
http://lists.apple.com/archives/security-announce/2007/Dec/msg00002.html
http://secunia.com/advisories/28136
Vendor Advisory
http://www.us-cert.gov/cas/techalerts/TA07-352A.html
US Government Resource
http://www.vupen.com/english/advisories/2007/4238
Vendor Advisory
http://dev.rubyonrails.org/changeset/8177
http://dev.rubyonrails.org/ticket/10048
Patch
http://secunia.com/advisories/27781
Vendor Advisory
http://weblog.rubyonrails.org/2007/11/24/ruby-on-rails-1-2-6-security-and-maintenance-release
http://www.securityfocus.com/bid/26598
http://www.vupen.com/english/advisories/2007/4009
Vendor Advisory