Reliance on Cookies without Validation and Integrity Checking

CVE-2021-41263

High

8.8/10

Summary

rails_multisite provides multi-db support for Rails applications. In affected versions prior to 4.0.0 this vulnerability impacts any Rails applications using `rails_multisite` alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application. The issue has been patched in v4 of the `rails_multisite` gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-565 - Reliance on Cookies without Validation and Integrity Checking

The application relies on the existence or values of cookies when performing security-critical operations, but it does not properly ensure that the setting is valid for the associated user.

References

Advisory Timeline

Published Nov 15, 2021

Reliance on Cookies without Validation and Integrity Checking

CVE-2021-41263

Summary

CWE-565 - Reliance on Cookies without Validation and Integrity Checking

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS