Ruby CGI Session Management Insecure File Permission Vulnerability


Ruby uses CGI::Session's FileStore. FileStore creates a session file with improper permission and this could lead to session information leak.
CVSS Severity (What is CVSS?)

Base Metrics: 2.1 (Low) [NVD Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None

Affected Products

  • Ruby 1.6
  • Ruby 1.8
Turbolinux, Inc.
  • Turbolinux 10 Desktop
  • Turbolinux 10 F...
  • Turbolinux 10 Server
  • Turbolinux 7 Server
  • Turbolinux 7 Workstation
  • Turbolinux 8 Server
  • Turbolinux 8 Workstation
  • Turbolinux Home
Red Hat, Inc.
  • Red Hat Desktop (v.3)
  • Red Hat Enterprise Linux AS (v.2.1)
  • Red Hat Enterprise Linux AS (v.3)
  • Red Hat Enterprise Linux ES (v.2.1)
  • Red Hat Enterprise Linux ES (v.3)
  • Red Hat Enterprise Linux WS (v.2.1)
  • Red Hat Enterprise Linux WS (v.3)


An attacker could hijack sessions utilizing stolen information.

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Ruby Turbolinux, Inc. Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2004-0755

  1. National Vulnerability Database (NVD) : CVE-2004-0755
  2. SecurityFocus : 10946
  3. ISS X-Force Database : 16996
Revision History

  Web page published