CVE-2020-8184.yml

---
gem: rack
cve: 2020-8184
ghsa: j6w9-fv6q-3q52
url: https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak
title: Percent-encoded cookies can be used to overwrite existing prefixed cookie names
date: 2020-06-15
description: |
  It is possible to forge a secure or host-only cookie prefix in Rack using
  an arbitrary cookie write by using URL encoding (percent-encoding) on the
  name of the cookie. This could result in an application that is dependent on
  this prefix to determine if a cookie is safe to process being manipulated
  into processing an insecure or cross-origin request.
  This vulnerability has been assigned the CVE identifier CVE-2020-8184.

  Versions Affected:  rack < 2.2.3, rack < 2.1.4
  Not affected:       Applications which do not rely on __Host- and __Secure- prefixes to determine if a cookie is safe to process
  Fixed Versions:     rack >= 2.2.3, rack >= 2.1.4

  Impact
  ------

  An attacker may be able to trick a vulnerable application into processing an
  insecure (non-SSL) or cross-origin request if they can gain the ability to write
  arbitrary cookies that are sent to the application.

  Workarounds
  -----------

  If your application is impacted but you cannot upgrade to the released versions or apply
  the provided patch, this issue can be temporarily addressed by adding the following workaround:

  ```
  module Rack
    module Utils
      module_function def parse_cookies_header(header)
        return {} unless header
        header.split(/[;] */n).each_with_object({}) do |cookie, cookies|
          next if cookie.empty?
          key, value = cookie.split('=', 2)
          cookies[key] = (unescape(value) rescue value) unless cookies.key?(key)
        end
      end
    end
  end
  ```
cvss_v3: 7.5
patched_versions:
  - "~> 2.1.4"
  - ">= 2.2.3"