class Dawn::Kb::OSVDB_119878
Automatically created with rake on 2015-04-04
Public Class Methods
new()
click to toggle source
include RubyVersionCheck
Calls superclass method
Dawn::Kb::DependencyCheck::new
# File lib/dawn/kb/osvdb_119878.rb, line 10 def initialize message="rest-client Gem for Ruby contains a flaw in abstract_response.rb related to the handling of set-cookie headers in redirection responses that allows a remote, user-assisted attacker to conduct a session fixation attack. This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one. With a specially crafted request fixating the session identifier, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked." super({ :name=> "OSVDB_119878", :cve=>"2015-1820", :osvdb=>"119878", :cvss=>"", :release_date => Date.new(2015, 3, 24), :cwe=>"", :owasp=>"A9", :applies=>["rails", "sinatra", "padrino"], :kind=>Dawn::KnowledgeBase::DEPENDENCY_CHECK, :message=>message, :mitigation=>"Please upgrade rest-client gem version to 1.8.0 or later.", :aux_links=>["https://github.com/rest-client/rest-client/issues/369"] }) self.safe_dependencies = [{:name=>"rest-client", :version=>['1.8.0', '2.0.0.rc1', '2.0.0.rc2']}] end