GMS-2021-12: Authentication Bypass Using an Alternate Path or Channel and Authentication Bypass by Primary Weakness in rucio-webui

October 22, 2021

Impact

rucio-webui installations of the 1.26 release line potentially leak the contents of cookies to other sessions within a wsgi container. Impact is that Rucio authentication tokens are leaked to other users accessing the webui within a close timeframe, thus allowing users to access the webui with the leaked authentication token. Privileges are therefore also escalated.

Rucio server / daemons are not affected by this issue, it is isolated to the webui.

Patches

This issue is fixed in the 1.26.7 release of the rucio-webui.

Workarounds

Installation of the 1.25.7 webui release. The 1.25 and previous webui release lines are not affected by this issue.

References

https://github.com/rucio/rucio/issues/4928

References

Code Behaviors & Features

Detect and mitigate GMS-2021-12 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →