Rails is a widely used web-application framework that provides developers with a robust and easy-to-use platform for creating web applications. In this article, we will be discussing a sensitive session information leak (CVE-2024-26144) present in Rails' Active Storage, starting with version 5.2.. We will provide an overview of the vulnerability, details about the affected Rails versions, and how the issue has been fixed in later releases. Additionally, we'll also share some code snippets and links to the original references to help you better understand the problem and take appropriate action to mitigate any potential risks.

Vulnerability Details (CVE-2024-26144)

Active Storage in Rails is used for handling file uploads and attachments and is part of its extensive suite of built-in features. However, starting with version 5.2., there is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a Set-Cookie header containing the user's session cookie when serving blobs. Moreover, it also sets Cache-Control to public. Consequently, certain proxies may cache the Set-Cookie header, thereby leading to an information leak.

Here's a code snippet that demonstrates the vulnerability

config.allow_blob_public_caching = true

The above code snippet, which is the default setting for Active Storage, sets the Cache-Control to public. Hence, the Set-Cookie header may be cached by some proxies, potentially causing sensitive session information to be leaked.

Affected Versions

The vulnerability affects Rails versions 5.2. and onwards. The issue has been fixed and patched in Rails versions 7..8.1 and 6.1.7.7.

Mitigation

To address this vulnerability, you need to update your Rails application to the latest patched version, which is either 7..8.1 or 6.1.7.7. To make the update, you can modify your application's Gemfile and specify the new version, as shown below:

gem 'rails', '~> 7..8.1'

or

gem 'rails', '~> 6.1.7.7'

After making the changes, run this command to update your application's dependencies

bundle update rails

Alternatively, if you cannot immediately upgrade to a patched version, you can manually set Cache-Control to private in your Active Storage service configuration. This will prevent the Set-Cookie header from being cached by proxies and lower the risk of sensitive session information being leaked.

Here's a code snippet showcasing how to set Cache-Control to private

config.active_storage.service = :cloudinary

config:
  cloudinary:
    ...
    cache_control: 'private'

Further Reading

1. Rails official website - https://rubyonrails.org/
2. The CVE-2024-26144 entry on the MITRE website - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26144
3. GitHub Security Advisory - https://github.com/advisories/GHSA-hj88-h3j7-hgq8
4. Rails Active Storage Guide - https://edgeguides.rubyonrails.org/active_storage_overview.html

Conclusion

In conclusion, CVE-2024-26144 is a notable vulnerability present in Rails' Active Storage, starting with version 5.2.. The vulnerability may potentially lead to sensitive session information leaks. However, by upgrading to the latest patched Rails version or manually setting Cache-Control to private, developers can effectively mitigate this risk. It is recommended that you take prompt action to address this vulnerability and ensure the security of your Rails applications.

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 02/28/2024 14:07:00 UTC