CVE-2024-26144

MEDIUM5.3EPSS 4.3%

Rails has possible Sensitive Session Information Leak in Active Storage

Published: 2/27/2024Modified: 4/30/2025

Also known as:GHSA-8h22-8cf7-hq6gBIT-rails-2024-26144

Description

# Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!

Affected packages (3)

Bitnami/rails>= 5.2.0, < 6.1.8, >= 7.0.0, < 7.0.9
Debian/railsfrom 0, < 2:6.1.7.10+dfsg-1~deb12u1
RubyGems/activestorage>= 5.2.0, < 6.1.7.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Affected packages (3)

CVSS scores

References (11)