[CVE-2020-8184] Percent-encoded cookies can be used to overwrite existing prefixed cookie names

3,285 views
Skip to first unread message

Aaron Patterson

unread,
Jun 15, 2020, 6:29:03 PM6/15/20
to rubyonrail...@googlegroups.com, ruby-sec...@googlegroups.com
Percent-encoded cookies can be used to overwrite existing prefixed cookie names

It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.

Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4

Impact
------

An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.

Releases
--------

The fixed releases are available on RubyGems.

Workarounds
-----------

If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:

module Rack
module Utils
module_function def parse_cookies_header(header)
return {} unless header
header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
next if cookie.empty?
key, value = cookie.split('=', 2)
cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
end
end
end
end

Patches
-------

For developers who are not able to immediately upgrade their applications,
we are including the following patches for Rack 2.1.3 and Rack 2.2.2:

* 2-1-only-decode-cookie-values.patch
* 2-2-only-decode-cookie-values.patch

Credits
-------

Thank you to the GitHub security team and Matt Langlois (@fletchto99) for reporting this bug and
providing a patch.
2-1-only-decode-cookie-values.patch
2-2-only-decode-cookie-values.patch
Reply all
Reply to author
Forward
0 new messages