GHSA-gm98-g2wf-7c68 – amphp/artax

Package

Manager: composer
Name: amphp/artax
Vulnerable Version: >=2 <2.0.6 || >=0 <1.0.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

amphp/artax Cookie leakage to wrong origins and non-restricted cookie acceptance In artax version before 1.0.6 and 2 before 2.0.6, cookies of `foo.bar.example.com` were leaked to `foo.bar`. Additionally, any site could set cookies for any other site. Artax fixed this issue by following newer browser implementations now. Cookies can only be set on domains higher or equal to the current domain, but not on any public suffixes.

Metadata

Created: 2024-05-15T17:52:00Z
Modified: 2024-05-15T17:52:00Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-gm98-g2wf-7c68/GHSA-gm98-g2wf-7c68.json
CWE IDs: []
Alternative ID: N/A
Finding: F204
Auto approve: 1