JVNDB-2004-000323

[Japanese]
JVNDB-2004-000323
Ruby CGI Session Management Insecure File Permission Vulnerability
Overview
Ruby uses CGI::Session's FileStore. FileStore creates a session file with improper permission and this could lead to session information leak.
CVSS Severity (What is CVSS?)
Base Metrics: 2.1 (Low) [NVD Score] Access Vector: Local Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None

Affected Products

Ruby Ruby 1.6 Ruby 1.8 Turbolinux, Inc. Turbolinux 10 Desktop Turbolinux 10 F... Turbolinux 10 Server Turbolinux 7 Server Turbolinux 7 Workstation Turbolinux 8 Server Turbolinux 8 Workstation Turbolinux Home Red Hat, Inc. Red Hat Desktop (v.3) Red Hat Enterprise Linux AS (v.2.1) Red Hat Enterprise Linux AS (v.3) Red Hat Enterprise Linux ES (v.2.1) Red Hat Enterprise Linux ES (v.3) Red Hat Enterprise Linux WS (v.2.1) Red Hat Enterprise Linux WS (v.3)

Impact
An attacker could hijack sessions utilizing stolen information.
Solution
Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information
Ruby Ruby : Top Page Turbolinux, Inc. Turbolinux Security Advisory : TLSA-2005-15 Red Hat, Inc. Red Hat Security Advisory : RHSA-2004:441
CWE (What is CWE?)

CVE (What is CVE?)
CVE-2004-0755
References
National Vulnerability Database (NVD) : CVE-2004-0755 SecurityFocus : 10946 ISS X-Force Database : 16996
Revision History
[2008/05/21] Web page published


Date Public	2004/08/16
Date First Published	2008/05/21
Date Last Updated	2008/05/21

Ruby CGI Session Management Insecure File Permission Vulnerability