CVE-2024-26144

MEDIUM

Rails < 6.1.7.7 - Information Disclosure

Title source: rule

Description

Rails is a web-application framework. Starting with version 5.2.0, there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header along with the user's session cookie when serving blobs. It also sets Cache-Control to public. Certain proxies may cache the Set-Cookie, leading to an information leak. The vulnerability is fixed in 7.0.8.1 and 6.1.7.7.

Exploits (2)

nomisec WORKING POC

by gmo-ierae · poc

https://github.com/gmo-ierae/CVE-2024-26144-test

View Code ZIP pw:eip

nomisec STUB

by usutani · poc

https://github.com/usutani/study-turbolinks-link

View Code ZIP pw:eip

References (6)

[Vendor Advisory] https://discuss.rubyonrails.org/t/possible-sensitive-session-information-leak-in-active-storage/84945

[Patch] https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433

[Patch] https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3

[Vendor Advisory] https://github.com/rails/rails/security/advisories/GHSA-8h22-8cf7-hq6g

[Third Party Advisory] https://github.com/rubysec/ruby-advisory-db/blob/master/gems/activestorage/CVE-2024-26144.yml

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240510-0013/

Scores

CVSS v3 5.3

EPSS 0.0310

EPSS Percentile 86.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE

CWE-200

Status published

Products (2)

rubygems/activestorage 5.2.0 - 6.1.7.7RubyGems

rubyonrails/rails 5.2.0 - 6.1.7.7

Published Feb 27, 2024

Tracked Since Feb 18, 2026