CVE-2020-8184

HIGH

rack < 2.1.4 - Cookie Integrity Bypass via Unvalidated Prefix

Title source: llm
STIX 2.1

Description

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.

References (5)

Core 5
Core References
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4561-1/
Mailing List, Third Party Advisory mailing-list
https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html
Mailing List, Patch, Third Party Advisory
https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
Exploit, Patch, Third Party Advisory
https://hackerone.com/reports/895727

Scores

CVSS v3 7.5
EPSS 0.0081
EPSS Percentile 74.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-20 CWE-784
Status published
Products (5)
canonical/ubuntu_linux 18.04
debian/debian_linux 9.0
debian/debian_linux 10.0
rack_project/rack < 2.1.4
rubygems/rack 0 - 2.1.4RubyGems
Published Jun 19, 2020
Tracked Since Feb 18, 2026