Headline
CVE-2020-8184: [CVE-2020-8184] Percent-encoded cookies can be used to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
Percent-encoded cookies can be used to overwrite existing prefixed cookie names
It is possible to forge a secure or host-only cookie prefix in Rack using
an arbitrary cookie write by using URL encoding (percent-encoding) on the
name of the cookie. This could result in an application that is dependent on
this prefix to determine if a cookie is safe to process being manipulated
into processing an insecure or cross-origin request.
This vulnerability has been assigned the CVE identifier CVE-2020-8184.
Versions Affected: rack < 2.2.3, rack < 2.1.4
Not affected: Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
Fixed Versions: rack >= 2.2.3, rack >= 2.1.4
Impact
------
An attacker may be able to trick a vulnerable application into processing an
insecure (non-SSL) or cross-origin request if they can gain the ability to write
arbitrary cookies that are sent to the application.
Releases
--------
The fixed releases are available on RubyGems.
Workarounds
-----------
If your application is impacted but you cannot upgrade to the released versions or apply
the provided patch, this issue can be temporarily addressed by adding the following workaround:
module Rack
module Utils
module_function def parse_cookies_header(header)
return {} unless header
header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
next if cookie.empty?
key, value = cookie.split('=’, 2)
cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
end
end
end
end
Patches
-------
For developers who are not able to immediately upgrade their applications,
we are including the following patches for Rack 2.1.3 and Rack 2.2.2:
* 2-1-only-decode-cookie-values.patch
* 2-2-only-decode-cookie-values.patch
Credits
-------
Thank you to the GitHub security team and Matt Langlois (@fletchto99) for reporting this bug and
providing a patch.