CVE-2024-26144 (activestorage): Possible Sensitive Session Information Leak in Active Storage

Ruby Security Advisory

There is a possible sensitive session information leak in Active Storage.
By default, Active Storage sends a `Set-Cookie` header along with the user’s
session cookie when serving blobs. It also sets `Cache-Control` to public.
Certain proxies may cache the `Set-Cookie`, leading to an information leak.

This vulnerability has been assigned the CVE identifier CVE-2024-26144.

Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, >= 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7

# Impact

A proxy which chooses to caches this request can cause users to share
sessions. This may include a user receiving an attacker’s session or vice
versa.

This was patched in 7.1.0 but not previously identified as a security
vulnerability.

All users running an affected release should either upgrade or use one of the
workarounds immediately.

# Releases

The fixed releases are available at the normal locations.

# Workarounds

Upgrade to Rails 7.1.X, or configure caching proxies not to cache the
`Set-Cookie` headers.

READ MORE