CVE-2020-8184

Summary

CVE	CVE-2020-8184
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-06-19 17:15:00 UTC
Updated	2023-02-16 19:24:00 UTC
Description	A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

Risk And Classification

Problem Types: CWE-20

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Rack Project	Rack	All	All	All	All
Application	Rack Project	Rack	All	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] [DLA 2275-1] ruby-rack security update	MLIST	lists.debian.org
[SECURITY] [DLA 3298-1] ruby-rack security update	MLIST	lists.debian.org
USN-4561-1: Rack vulnerabilities \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com
[CVE-2020-8184] Percent-encoded cookies can be used to overwrite existing prefixed cookie names	MISC	groups.google.com	Patch, Third Party Advisory
HackerOne	MISC	hackerone.com	Exploit, Patch, Third Party Advisory
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

181526 Debian Security Update for ruby-rack (DLA 3298-1)
198319 Ubuntu Security Notification for Ruby-rack Vulnerabilities (USN-4561-2)
238742 Red Hat Update for Satellite 6.8 release (RHSA-2020:4366)
750577 OpenSUSE Security Update for rmt-server (openSUSE-SU-2020:2000-1)
750580 OpenSUSE Security Update for rmt-server (openSUSE-SU-2020:1993-1)
753406 SUSE Enterprise Linux Security Update for rubygem-rack (SUSE-SU-2022:3347-1)