GMS-2020-447: Sensitive Data Exposure in rails-session-decoder

September 2, 2020

All versions of rails-session-decoder are missing verification of the Message Authentication Code appended to the cookies. This may lead to decryption of cipher text thus exposing encrypted information. No fix is currently available. Consider using an alternative module until a fix is made available.

References

github.com/advisories/GHSA-44vf-8ffm-v2qh
www.npmjs.com/advisories/753

Code Behaviors & Features

Detect and mitigate GMS-2020-447 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →