CVE-2020-8184 — Reliance on Cookies without Validation and Integrity Checking in a Security Decision in Project Rack

CWE-784 — Reliance on Cookies without Validation and Integrity Checking in a Security Decision CWE-20 — Improper Input Validation CWE-565 — Reliance on Cookies without Validation and Integrity Checking CWE-807 — Reliance on Untrusted Inputs in a Security Decision28 documents11 sources

Severity

7.5HIGHNVD

NVD5.3CNA4.3GHSA5.3OSV8.6OSV5.9OSV5.3

EPSS

1.1%

top 22.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

PHP Group PHP PHP Rack Project Rack +8 more

Timeline

PublishedJun 19

Latest updateJan 27

Description

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶RubyGemsrack/rack2.2.0 — 2.2.3+1

▶NVDrack_project/rack2.2.0 — 2.2.3+1

▶CVEListV5https/github.com_rack_rackrack >= 2.2.3, rack >= 2.1.4

▶NVDphp/php7.2.0 — 7.2.34+2

▶Packagistreact/http0.7.0 — 1.7.0

Also affects: Debian Linux 10.0, 9.0, Fedora 31, 32, 33, Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 20.04

Patches

Patch: groups.google.com ↗Patch: hackerone.com ↗Patch: groups.google.com ↗

🔴Vulnerability Details

OSV

ruby-rack vulnerabilities↗2022-12-13

▶

GHSA

ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent↗2022-09-16

▶

OSV

ReactPHP's HTTP server parses encoded cookie names so malicious `__Host-` and `__Secure-` cookies can be sent↗2022-09-16

▶

GHSA

GHSA-j7r5-hm2w-qqf9: In PHP versions 7↗2022-05-24

▶

OSV

ruby-rack vulnerabilities↗2021-04-06

▶

📋Vendor Advisories

CISA ICS

Festo Didactic SE MES PC↗2026-01-27

▶

Ubuntu

Rack vulnerabilities↗2022-12-13

▶

Ubuntu

Rack vulnerabilities↗2021-04-06

▶

Ubuntu

Rack vulnerabilities↗2020-09-30

▶

Red Hat

rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names↗2020-06-15

▶

💬Community

HackerOne

Ruby CVE-2021-41819: Cookie Prefix Spoofing in CGI::Cookie.parse↗2022-02-03

▶

Bugzilla

CVE-2021-41819 ruby: Cookie prefix spoofing in CGI::Cookie.parse↗2021-11-25

▶

Bugzilla

CVE-2020-7070 php: URL decoding of cookie names can lead to different interpretation of cookies between browser and server↗2020-10-06

▶

Bugzilla

CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [epel-all]↗2020-06-19

▶

Bugzilla

CVE-2020-8184 rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names [fedora-all]↗2020-06-19

▶