CVE-2020-8184
published 2020-06-19CVE-2020-8184: A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.94%
85.4th percentile
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | php7.4 | < php7.4 7.4.11-1 (bullseye) | php7.4 7.4.11-1 (bullseye) |
| debian | ruby-rack | < ruby-rack 2.1.1-6 (bookworm) | ruby-rack 2.1.1-6 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| https | github.com_rack_rack | — | — |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| php | php | >= 7.2.0 < 7.2.34 | 7.2.34 |
| php | php | >= 7.3.0 < 7.3.23 | 7.3.23 |
| php | php | >= 7.4.0 < 7.4.11 | 7.4.11 |
| php_group | php | >= 7.2.x < 7.2.34 | 7.2.34 |
| php_group | php | >= 7.3.x < 7.3.23 | 7.3.23 |
| php_group | php | >= 7.4.x < 7.4.11 | 7.4.11 |
| rack | rack | >= 0 < 2.1.4 | 2.1.4 |
| rack | rack | >= 2.2.0 < 2.2.3 | 2.2.3 |
| rack_project | rack | < 2.1.4 | 2.1.4 |
| rack_project | rack | >= 2.2.0 < 2.2.3 | 2.2.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.3MEDIUM
osv8.6HIGH
vendor_ubuntu8.6HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-rack vulnerabilities
osv·2022-12-13·CVSS 5.9
CVE-2019-16782 [MEDIUM] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack insecurely handled session ids. An
unauthenticated remote attacker could possibly use this issue to perform
a timing attack and hijack sessions. (CVE-2019-16782)
It was discovered that Rack was incorrectly handling cookies during
parsing, not validating them or performing the necessary integrity checks.
An attacker could possibly use this issue to overwrite existing cookie
data and gain control over a remote system's behaviour. This issue only
affected Ubuntu 14.04 ESM. (CVE-2020-8184)
It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could
GHSA
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
ghsa·2022-09-16·CVSS 5.3
CVE-2022-36032 [MEDIUM] CWE-20 ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
### Impact
In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.
### Patches
* https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in [reactphp/http `v1.7.0`](https://github.com/reactphp/http/releases/tag/v1.7.0)
### Workarounds
Infrastructure or DevOps can place a reverse proxy i
OSV
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
osv·2022-09-16·CVSS 5.3
CVE-2022-36032 [MEDIUM] ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent
### Impact
In ReactPHP's HTTP server component versions below v1.7.0, when ReactPHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like `__Host-` and `__Secure-` confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-7070 and CVE-2020-8184 for more information.
### Patches
* https://github.com/reactphp/http/commit/663c9a3b77b71463fa7fcb76a6676ffd16979dd6 - Fixed in [reactphp/http `v1.7.0`](https://github.com/reactphp/http/releases/tag/v1.7.0)
### Workarounds
Infrastructure or DevOps can place a reverse proxy i
GHSA
GHSA-j7r5-hm2w-qqf9: In PHP versions 7
ghsa_unreviewed·2022-05-24·CVSS 7.5
CVE-2020-7070 [HIGH] CWE-565 GHSA-j7r5-hm2w-qqf9: In PHP versions 7
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
OSV
ruby-rack vulnerabilities
osv·2021-04-06·CVSS 8.6
CVE-2020-8161 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
USN-4561-1 fixed vulnerabilities in Rack. This update provides the
corresponding update for Ubuntu 16.04 LTS, Ubuntu 20.04 LTS and Ubuntu 20.10.
Original advisory details:
It was discovered that Rack incorrectly handled certain paths. An attacker
could possibly use this issue to obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-8161)
It was discovered that Rack incorrectly validated cookies. An attacker
could possibly use this issue to forge a secure cookie. (CVE-2020-8184)
OSV
CVE-2020-7070: In PHP versions 7
osv·2020-10-02·CVSS 5.3
CVE-2020-7070 [MEDIUM] CVE-2020-7070: In PHP versions 7
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
OSV
ruby-rack vulnerabilities
osv·2020-09-30·CVSS 8.6
CVE-2020-8161 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly handled certain paths. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-8161)
It was discovered that Rack incorrectly validated cookies. An attacker
could possibly use this issue to forge a secure cookie. (CVE-2020-8184)
GHSA
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
ghsa·2020-06-24
CVE-2020-8184 [HIGH] CWE-20 Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix.
OSV
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
osv·2020-06-24
CVE-2020-8184 [HIGH] Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix.
OSV
CVE-2020-8184: A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2
osv·2020-06-19·CVSS 7.5
CVE-2020-8184 [HIGH] CVE-2020-8184: A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
CISA ICS
Festo Didactic SE MES PC
cisa_ics·2026-01-27·CVSS 7.5
[HIGH] Festo Didactic SE MES PC
ICS Advisory
##
Festo Didactic SE MES PC
Release DateJanuary 27, 2026
Alert CodeICSA-26-027-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
MES PCs shipped with Windows 10 come pre-installed with XAMPP. XAMPP is a bundle of third-party open-source applications including the Apache HTTP Server, the MariaDB database and more. From time to time, vulnerabilities in these applications are discovered. These are fixed in newer versions of XAMPP by updating the bundled applications. MES PCs shipped with Windows 10 include a copy of XAMPP which contains around 140 such vulnerabilities listed in this advisory. They can be fixed by replacing XAMPP with Festo Didactic's Factory Control Panel application.
The
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2022-12-13·CVSS 6.3
CVE-2020-8184 [MEDIUM] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack insecurely handled session ids. An
unauthenticated remote attacker could possibly use this issue to perform
a timing attack and hijack sessions. (CVE-2019-16782)
It was discovered that Rack was incorrectly handling cookies during
parsing, not validating them or performing the necessary integrity checks.
An attacker could possibly use this issue to overwrite existing cookie
data and gain control over a remote system's behaviour. This issue only
affected Ubuntu 14.04 ESM. (CVE-2020-8184)
It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST reques
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2021-04-06·CVSS 8.6
CVE-2020-8161 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Rack could be made to expose sensitive information over the network.
USN-4561-1 fixed vulnerabilities in Rack. This update provides the
corresponding update for Ubuntu 16.04 LTS, Ubuntu 20.04 LTS and Ubuntu 20.10.
Original advisory details:
It was discovered that Rack incorrectly handled certain paths. An attacker
could possibly use this issue to obtain sensitive information. This issue
only affected Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
(CVE-2020-8161)
It was discovered that Rack incorrectly validated cookies. An attacker
could possibly use this issue to forge a secure cookie. (CVE-2020-8184)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2020-09-30·CVSS 8.6
CVE-2020-8161 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Rack could be made to expose sensitive information over the network.
It was discovered that Rack incorrectly handled certain paths. An attacker
could possibly use this issue to obtain sensitive information.
(CVE-2020-8161)
It was discovered that Rack incorrectly validated cookies. An attacker
could possibly use this issue to forge a secure cookie. (CVE-2020-8184)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
vendor_redhat·2020-06-15·CVSS 7.5
CVE-2020-8184 [HIGH] CWE-807 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
A flaw was found in rubygem-rack. An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application. The highest threat from this vulnerability is to data integrity.
Statement: Because Red Hat OpenStack Platform 13.0 Operational Tools packages ships the flawed code, but does not use its functionality, its Impact has been reduced to 'Low'.
Red Hat Satell
Red Hat
php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server
vendor_redhat·2020-06-14·CVSS 4.3
CVE-2020-7070 [MEDIUM] CWE-20 php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server
php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
Package: php (Red Hat Enterprise Linux 5) - Out of support scope
Package: php53 (Red Hat Enterprise Linux 5) - Out of support scope
Package: php (Red Hat Enterprise Linux 6) - Out of support scope
Package: php (Red Hat Enterprise Linux 7) - Out of support scope
Package: php:7.2/php (Red
Debian
CVE-2020-7070: php7.4 - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, w...
vendor_debian·2020·CVSS 4.3
CVE-2020-7070 [MEDIUM] CVE-2020-7070: php7.4 - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, w...
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
Scope: local
bullseye: resolved (fixed in 7.4.11-1)
Debian
CVE-2020-8184: ruby-rack - A reliance on cookies without validation/integrity check security vulnerability ...
vendor_debian·2020·CVSS 7.5
CVE-2020-8184 [HIGH] CVE-2020-8184: ruby-rack - A reliance on cookies without validation/integrity check security vulnerability ...
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
Scope: local
bookworm: resolved (fixed in 2.1.1-6)
bullseye: resolved (fixed in 2.1.1-6)
forky: resolved (fixed in 2.1.1-6)
sid: resolved (fixed in 2.1.1-6)
trixie: resolved (fixed in 2.1.1-6)
No detection rules found.
No public exploits indexed.
HackerOne
Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
hackerone·2022-02-03·CVSS 7.5
CVE-2021-41819 [HIGH] Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse
Release note: https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
> The old versions of CGI::Cookie.parse applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application.
> By this fix, CGI::Cookie.parse no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded.
> This is the same issue of CVE-2020-8184.
---
The following is copied from hackerone's report. https://hackerone.com/reports/910552
I found the same problem with https://hackerone.com/reports/89
Bugzilla
CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
bugzilla·2021-11-25·CVSS 7.5
CVE-2021-41819 [HIGH] CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse
The old versions of `CGI::Cookie.parse` applied URL decoding to cookie names. An attacker could exploit this vulnerability to spoof security prefixes in cookie names, which may be able to trick a vulnerable application. By this fix, `CGI::Cookie.parse` no longer decodes cookie names. Note that this is an incompatibility if cookie names that you are using include non-alphanumeric characters that are URL-encoded. This is the same issue of CVE-2020-8184.
Reference:
https://www.ruby-lang.org/en/news/2021/11/24/cookie-prefix-spoofing-in-cgi-cookie-parse-cve-2021-41819/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 2026759]
Created ruby:2.5/ruby tracking bugs for this issue:
Affects: fedora
Bugzilla
CVE-2020-7070 php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server
bugzilla·2020-10-06·CVSS 4.3
CVE-2020-7070 [MEDIUM] CVE-2020-7070 php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server
CVE-2020-7070 php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server
In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. See also CVE-2020-8184 for more information.
Reference:
https://bugs.php.net/bug.php?id=79699
Discussion:
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1885741]
---
Notice: this fix introduce a behavior change, as cookie names are no more decoded, which may break application relying on this (wro
Bugzilla
CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [epel-all]
bugzilla·2020-06-19·CVSS 7.5
CVE-2020-8184 [HIGH] CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [epel-all]
CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this is
Bugzilla
CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [fedora-all]
bugzilla·2020-06-19·CVSS 7.5
CVE-2020-8184 [HIGH] CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [fedora-all]
CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: thi
Bugzilla
CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
bugzilla·2020-06-19·CVSS 7.5
CVE-2020-8184 [HIGH] CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names
An attacker may be able to trick a vulnerable application into processing an insecure (non-SSL) or cross-origin request if they can gain the ability to write arbitrary cookies that are sent to the application.
Reference:
https://groups.google.com/forum/#!msg/rubyonrails-security/OWtmozPH9Ak/4m00yHPCBAAJ
Discussion:
Created rubygem-rack tracking bugs for this issue:
Affects: epel-all [bug 1849143]
Affects: fedora-all [bug 1849142]
---
External References:
https://groups.google.com/forum/#!msg/rubyonrails-security/OWtmozPH9Ak/4m00yHPCBAAJ
---
* HackerOne report: https://hackerone.com/reports/895727
* Cookie RFC: https://www.ietf.org/rfc/rfc2965.txt
* Initial idea of Magic-coo
https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Akhttps://hackerone.com/reports/895727https://lists.debian.org/debian-lts-announce/2020/07/msg00006.htmlhttps://lists.debian.org/debian-lts-announce/2023/01/msg00038.htmlhttps://usn.ubuntu.com/4561-1/https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Akhttps://hackerone.com/reports/895727https://lists.debian.org/debian-lts-announce/2020/07/msg00006.htmlhttps://lists.debian.org/debian-lts-announce/2023/01/msg00038.htmlhttps://usn.ubuntu.com/4561-1/
2020-06-19
Published