Session Fixation Affecting rest-client package, versions >1.6.0, <1.8.0
Snyk CVSS
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-RUBY-RESTCLIENT-20211
- published 23 Mar 2015
- disclosed 23 Mar 2015
- credit Unknown
Introduced: 23 Mar 2015
CVE-2015-1820 Open this link in a new tabOverview
rest-client
gem is an HTTP and REST client for Ruby.
Affected versions of this gem improperly handle Set-Cookie headers on HTTP 30x redirection responses in abstract_response.rb
. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration.
If an attacker controls a redirection source, they can cause rest-client to perform a request to any third-party domain with cookies of their choosing, which may be useful in performing a Session Fixation attack.
If an control a redirection target, you can steal any cookies set by the third-party redirection request.