CVE-2007-5380 — Session Fixation in Rails

CWE-384 — Session Fixation CWE-362 — Race Condition7 documents5 sources

Severity

6.8MEDIUMNVD

EPSS

5.8%

top 9.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails David Hansson Ruby ON Rails

Timeline

PublishedOct 19

Latest updateOct 24

Description

Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails, allows remote attackers to hijack web sessions via unspecified vectors related to "URL-based sessions."

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶RubyGemsrubyonrails/rails< 1.2.4

▶Debianrubyonrails/rails< 1.2.5-1+3

▶NVDdavid_hansson/ruby_on_rails1.2.3

Patches

Patch: www.securityfocus.com ↗Patch: www.securityfocus.com ↗

🔴Vulnerability Details

GHSA

Session fixation vulnerability in Rails↗2017-10-24

▶

OSV

Session fixation vulnerability in Rails↗2017-10-24

▶

GHSA

session fixation protection mechanism in cgi_process.rb in Rails↗2017-10-24

▶

CVEList

CVE-2007-5380: Session fixation vulnerability in Rails before 1↗2007-10-19

▶

OSV

CVE-2007-5380: Session fixation vulnerability in Rails before 1↗2007-10-19

▶

📋Vendor Advisories

Debian

CVE-2007-5380: rails - Session fixation vulnerability in Rails before 1.2.4, as used for Ruby on Rails,...↗2007

▶