medium
5.3
CWE
200
EPSS
0.045%
Advisory Published
CVE Published
Advisory Published
Updated

CVE-2024-26144: Possible Sensitive Session Information Leak in Active Storage

First published: Mon Feb 26 2024(Updated: )

# Possible Sensitive Session Information Leak in Active Storage There is a possible sensitive session information leak in Active Storage. By default, Active Storage sends a `Set-Cookie` header along with the user's session cookie when serving blobs. It also sets `Cache-Control` to public. Certain proxies may cache the Set-Cookie, leading to an information leak. This vulnerability has been assigned the CVE identifier CVE-2024-26144. Versions Affected: >= 5.2.0, < 7.1.0 Not affected: < 5.2.0, > 7.1.0 Fixed Versions: 7.0.8.1, 6.1.7.7 Impact ------ A proxy which chooses to caches this request can cause users to share sessions. This may include a user receiving an attacker's session or vice versa. This was patched in 7.1.0 but not previously identified as a security vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Upgrade to Rails 7.1.X, or configure caching proxies not to cache the Set-Cookie headers. Credits ------- Thanks to [tyage](https://hackerone.com/tyage) for reporting this!

Credit: security-advisories@github.com security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
rubygems/activestorage>=7.0.0<7.0.8.1
7.0.8.1
rubygems/activestorage>=5.2.0<6.1.7.7
6.1.7.7
redhat/rubygem-activestorage<7.0.8.1
7.0.8.1
redhat/rubygem-activestorage<6.1.7.7
6.1.7.7
Ruby on Rails>=5.2.0<6.1.7.7
Ruby on Rails>=7.0.0<7.1.0

Remedy

https://github.com/rails/rails/commit/723f54566023e91060a67b03353e7c03e7436433

Remedy

https://github.com/rails/rails/commit/78fe149509fac5b05e54187aaaef216fbb5fd0d3

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2024-26144?

    CVE-2024-26144 is classified as a possible information leak vulnerability that can expose sensitive session information.

  • How do I fix CVE-2024-26144?

    To fix CVE-2024-26144, upgrade Active Storage to version 7.0.8.1 or 6.1.7.7 or higher.

  • Which versions of Active Storage are affected by CVE-2024-26144?

    Versions of Active Storage from 5.2.0 to 7.0.8.0 and from 6.1.0 to 6.1.7.6 are affected by CVE-2024-26144.

  • What platforms are impacted by CVE-2024-26144?

    CVE-2024-26144 impacts both the rubygems and redhat packages of Active Storage.

  • Is a workaround available for CVE-2024-26144?

    There is no specific workaround for CVE-2024-26144; upgrading to the fixed versions is recommended.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203