Information Exposure

Affecting rails-session-decoder package, ALL versions

medium severity

Overview

rails-session-decoder is a simple utility for decoding Rails 4.x sessions in node.js

Affected versions of this package are vulnerable to Information Exposure. Missing verification of the Message Authentication Code appended to the cookies may lead to decryption of cipher text thus exposing encrypted information.

Remediation

There is no fixed version for rails-session-decoder.

References

Do your applications use this vulnerable package?

Credit
Unknown
CWE
CWE-200
Snyk ID
SNYK-JS-RAILSSESSIONDECODER-73497
Disclosed
08 Jan, 2019
Published
10 Jan, 2019