Information Exposure Affecting rails-session-decoder package, versions <1.1.0
Snyk CVSS
Attack Complexity
High
Confidentiality
High
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JS-RAILSSESSIONDECODER-73497
- published 10 Jan 2019
- disclosed 8 Jan 2019
- credit Alex Hill
How to fix?
Upgrade rails-session-decoder
to version 1.1.0 or higher.
Overview
rails-session-decoder is a simple utility for decoding Rails 4.x sessions in node.js
Affected versions of this package are vulnerable to Information Exposure. Missing verification of the Message Authentication Code appended to the cookies may lead to decryption of cipher text thus exposing encrypted information.