CVE-2024-26144
Sensitive Session Information Leak vulnerability in activestorage (RubyGems)
What is CVE-2024-26144 About?
This vulnerability involves a sensitive session information leak in Active Storage due to improper caching. It allows proxies to cache session cookies along with public content, potentially leading to session sharing among users. Exploitation is relatively easy if a vulnerable proxy is in use, as it relies on default server configurations.
Affected Software
- activestorage
- >=7.0.0, <7.0.8.1
- >=5.2.0, <6.1.7.7
Technical Details
The Active Storage module, in versions greater than or equal to 5.2.0 and less than 7.1.0, by default, sets a 'Set-Cookie' header containing the user's session cookie when serving blobs, alongside a 'Cache-Control: public' header. This configuration allows certain caching proxies to store both the publicly cacheable content and the associated 'Set-Cookie' header. Subsequently, when other users request the same cached content, the proxy may serve the previously cached 'Set-Cookie' header, effectively assigning another user's session to the new requester. This mechanism facilitates session hijacking or shared session states, as users might receive an attacker's session or vice versa, causing an information leak and potential unauthorized access.
What is the Impact of CVE-2024-26144?
Successful exploitation may allow attackers to hijack user sessions, leading to unauthorized access to sensitive information or resources. It could also result in users sharing unintended session states, compromising privacy and user experience.
What is the Exploitability of CVE-2024-26144?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to be positioned between the victim and the Active Storage service, specifically through a caching proxy configured to cache 'Set-Cookie' headers. No authentication is strictly required for the attacker to set up the conditions for exploitation, as it relies on the proxy's caching behavior. Remote access is necessary, as the vulnerability is network-based. The primary prerequisites involve a misconfigured caching proxy that caches Set-Cookie headers for publicly cacheable content. The likelihood of exploitation is increased in environments where default proxy configurations are not reviewed or overridden, making users susceptible to session sharing due to the inadvertent caching of sensitive session identifiers.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| gmo-ierae | Link | PoC for CVE-2024-26144 |
What are the Available Fixes for CVE-2024-26144?
Available Upgrade Options
- activestorage
- >=5.2.0, <6.1.7.7 → Upgrade to 6.1.7.7
- activestorage
- >=7.0.0, <7.0.8.1 → Upgrade to 7.0.8.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
- https://github.com/rails/rails
- https://osv.dev/vulnerability/GHSA-8h22-8cf7-hq6g
- https://security.netapp.com/advisory/ntap-20240510-0013/
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
- https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3
- https://nvd.nist.gov/vuln/detail/CVE-2024-26144
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml
- https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g
- https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433
What are Similar Vulnerabilities to CVE-2024-26144?
Similar Vulnerabilities: CVE-2023-45819 , CVE-2022-29801 , CVE-2021-39148 , CVE-2020-8197 , CVE-2016-0751
