CVE-2022-31033 – mechanize

Package

Manager: gem
Name: mechanize
Vulnerable Version: >=0 <2.8.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00444 pctl0.625

Details

Mechanize before v2.8.5 vulnerable to authorization header leak on port redirect **Summary** Mechanize (rubygem) `< v2.8.5` leaks the `Authorization` header after a redirect to a different port on the same site. **Mitigation** Upgrade to Mechanize v2.8.5 or later. **Notes** See [https://curl.se/docs/CVE-2022-27776.html](CVE-2022-27776) for a similar vulnerability in curl. Cookies are shared with a server at a different port on the same site, per https://datatracker.ietf.org/doc/html/rfc6265#section-8.5 which states in part: > Cookies do not provide isolation by port. If a cookie is readable > by a service running on one port, the cookie is also readable by a > service running on another port of the same server. If a cookie is > writable by a service on one port, the cookie is also writable by a > service running on another port of the same server. For this > reason, servers SHOULD NOT both run mutually distrusting services on > different ports of the same host and use cookies to store security- > sensitive information.

Metadata

Created: 2022-06-09T23:47:57Z
Modified: 2022-07-21T14:53:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/06/GHSA-64qm-hrgp-pgr9/GHSA-64qm-hrgp-pgr9.json
CWE IDs: ["CWE-200", "CWE-522"]
Alternative ID: GHSA-64qm-hrgp-pgr9
Finding: F017
Auto approve: 1