Session Fixation

Affecting sinatra gem, versions <1.2.1

medium severity

Overview

sinatra is a DSL for quickly creating web applications in Ruby with minimal effort.

Affected versions of the package are vulnerable to Session Fixation due to missing session secret signing by default.

Remediation

Upgrade sinatra to version 1.2.1 or higher.

References

Do your applications use this vulnerable package?

Credit
Konstantin Haase
CWE
CWE-384
Snyk ID
SNYK-RUBY-SINATRA-20468
Disclosed
12 Mar, 2011
Published
10 Jan, 2018