CVE-2015-1820: Session fixation vulnerability via Set-Cookie headers
(updated )
The package rest-client in abstract_response.rb
improperly handles Set-Cookie
headers on HTTP redirection responses. Any cookies will be forwarded to the redirection target regardless of domain, path, or expiration. If you control a redirection source, you can cause rest-client to perform a request to any third-party domain with cookies of your choosing, which may be useful in performing a session fixation attack. If you control a redirection target, you can steal any cookies set by the third-party redirection request.
References
Detect and mitigate CVE-2015-1820 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →