[Japanese]

JVNDB-2004-000323

Ruby CGI Session Management Insecure File Permission Vulnerability

Overview

Ruby uses CGI::Session's FileStore. FileStore creates a session file with improper permission and this could lead to session information leak.
CVSS Severity (What is CVSS?)

CVSS V2 Severity:
Base Metrics 2.1 (Low) [NVD Score]
  • Access Vector: Local
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Ruby
  • Ruby 1.6
  • Ruby 1.8
Turbolinux, Inc.
  • Turbolinux 10_f
  • Turbolinux Desktop 10
  • Turbolinux Server 10
  • Turbolinux Server 7
  • Turbolinux Server 8
  • Turbolinux Workstation 7
  • Turbolinux Workstation 8
  • Turbolinux Home
Red Hat, Inc.
  • Red Hat Enterprise Linux 2.1 (as)
  • Red Hat Enterprise Linux 3 (as)
  • Red Hat Enterprise Linux 2.1 (es)
  • Red Hat Enterprise Linux 3 (es)
  • Red Hat Enterprise Linux 2.1 (ws)
  • Red Hat Enterprise Linux 3 (ws)
  • Red Hat Enterprise Linux Desktop 3.0

Impact

An attacker could hijack sessions utilizing stolen information.
Solution

Please refer to the 'Vendor Information' section for official remediation and take appropriate action.
Vendor Information

Ruby Turbolinux, Inc. Red Hat, Inc.
CWE (What is CWE?)

CVE (What is CVE?)

  1. CVE-2004-0755
References

  1. National Vulnerability Database (NVD) : CVE-2004-0755
  2. SecurityFocus : 10946
  3. ISS X-Force Database : 16996
Revision History

  • [2008/05/21]
      Web page published