Information Exposure

Affecting rails-session-decoder package, ALL versions

Do your applications use this vulnerable package? Test your applications

Overview

rails-session-decoder is a simple utility for decoding Rails 4.x sessions in node.js

Affected versions of this package are vulnerable to Information Exposure. Missing verification of the Message Authentication Code appended to the cookies may lead to decryption of cipher text thus exposing encrypted information.

Remediation

There is no fixed version for rails-session-decoder.

References

CVSS Score

5.9
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Credit
Alex Hill
CWE
CWE-200
Snyk ID
SNYK-JS-RAILSSESSIONDECODER-73497
Disclosed
08 Jan, 2019
Published
10 Jan, 2019