What is the severity of CVE-2021-41263?

CVE-2021-41263 has medium severity as it affects Rails applications using `rails_multisite` with potential impacts on signed/encrypted cookies.

How do I fix CVE-2021-41263?

To fix CVE-2021-41263, update the `rails_multisite` gem to version 4.0.0 or later.

Which versions of rails_multisite are affected by CVE-2021-41263?

CVE-2021-41263 affects all versions of `rails_multisite` prior to 4.0.0.

What applications are impacted by CVE-2021-41263?

Any Rails applications utilizing `rails_multisite` combined with signed/encrypted cookies are impacted by CVE-2021-41263.

Is CVE-2021-41263 exploitable?

Yes, depending on the application's use of cookies, CVE-2021-41263 may be exploitable.

Vulnerability/
CVE-2021-41263

high

8.8

CWE

327 200 565

15/11/2021

21/11/2024

CVE-2021-41263: Secure/signed cookies share secrets between sites in rails_multisite

First published: Mon Nov 15 2021(Updated: )

rails_multisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using `rails_multisite` alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application. The issue has been patched in v4 of the `rails_multisite` gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
Discourse Rails Multisite	<4.0.0
	<4.0.0

Remedy

https://github.com/discourse/rails_multisite/commit/c6785cdb5c9277dd2c5ac8d55180dd1ece440ed0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2021-41263?
CVE-2021-41263 has medium severity as it affects Rails applications using `rails_multisite` with potential impacts on signed/encrypted cookies.
How do I fix CVE-2021-41263?
To fix CVE-2021-41263, update the `rails_multisite` gem to version 4.0.0 or later.
Which versions of rails_multisite are affected by CVE-2021-41263?
CVE-2021-41263 affects all versions of `rails_multisite` prior to 4.0.0.
What applications are impacted by CVE-2021-41263?
Any Rails applications utilizing `rails_multisite` combined with signed/encrypted cookies are impacted by CVE-2021-41263.
Is CVE-2021-41263 exploitable?
Yes, depending on the application's use of cookies, CVE-2021-41263 may be exploitable.

collector/nvd-index
agent/references
agent/type
collector/mitre-cve
source/MITRE
agent/title
agent/remedy
agent/severity
agent/weakness
agent/description
agent/first-publish-date
collector/nvd-api
source/NVD
agent/software-canonical-lookup
agent/last-modified-date
agent/author
agent/softwarecombine
agent/event
agent/tags
agent/source
vendor/discourse
canonical/discourse rails multisite

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.