Security Bulletin
Summary
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix. Prior to discovery of this vulnerability, Aspera on Cloud used rack gem V2.2.2. Once the vulnerability was identified the version of rack gem used was upgraded to V2.2.3, which does not contain this vulnerability.
Vulnerability Details
CVEID: CVE-2020-8184
DESCRIPTION: Rack could allow a remote attacker to bypass security restrictions, caused by the lack of validation/integrity check security for cookies. By sending a specially crafted request, an attacker could exploit this vulnerability to forge a secure or host-only cookie prefix.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/183747 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| Aspera on Cloud | All |
Remediation/Fixes
Aspera on Cloud was upgraded to use rack gem V2.2.3 on 07/18/2020. No action by the customer is required.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Change History
05 Aug 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
28 September 2020
UID
ibm16338791