Source: ruby-rack-session Version: 2.1.1-0.1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby-rack-session. CVE-2026-39324[0]: | Rack::Session is a session management implementation for Rack. From | 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handles | decryption failures when configured with secrets:. If cookie | decryption fails, the implementation falls back to a default decoder | instead of rejecting the cookie. This allows an unauthenticated | attacker to supply a crafted session cookie that is accepted as | valid session data without knowledge of any configured secret. | Because this mechanism is used to load session state, an attacker | can manipulate session contents and potentially gain unauthorized | access. This vulnerability is fixed in 2.1.2. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-39324 https://www.cve.org/CVERecord?id=CVE-2026-39324 [1] https://github.com/rack/rack-session/security/advisories/GHSA-33qg-7wpp-89cq [2] https://github.com/rack/rack-session/commit/f43638cb3a4d15c3ecaf59e67a04b47fda08eeac Regards, Salvatore
