CVE-2021-41263: Rails Multisite secure/signed cookies share secrets between sites in a multi-site application
6.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.42216%
CWE
Published
11/15/2021
Updated
5/4/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
rails_multisite | rubygems | < 4.0.0 | 4.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from shared cryptographic salts across multi-site instances. The patch introduced CookieSalt.update_cookie_salts in the middleware's call chain to vary salts per hostname. The absence of this salt modification in the original middleware implementation (before the security commit) directly caused the secret-sharing vulnerability. The middleware's call function is the execution point where host-specific context is available but wasn't utilized for salt differentiation prior to the fix.