6.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41263

GHSA ID

GHSA-844m-cpr9-jcmh

EPSS Score

0.42216%

CWE

CWE-200

Published

11/15/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41263

CVE-2021-41263:
Rails Multisite secure/signed cookies share secrets between sites in a multi-site application

Impact

This vulnerability impacts any Rails applications using rails_multisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker to re-use cookies on different 'sites' within a multi-site Rails application.

Patches

The issue has been patched in v4 of the rails_multisite gem. Note that this upgrade will invalidate all previous signed/encrypted cookies. The impact of this invalidation will vary based on the application architecture.

(GitHub Advisory)

6.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41263

GHSA ID

GHSA-844m-cpr9-jcmh

EPSS Score

0.42216%

CWE

CWE-200

Published

11/15/2021

Updated

5/4/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rails_multisite	rubygems	< 4.0.0	4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from shared cryptographic salts across multi-site instances. The patch introduced CookieSalt.update_cookie_salts in the middleware's call chain to vary salts per hostname. The absence of this salt modification in the original middleware implementation (before the security commit) directly caused the secret-sharing vulnerability. The middleware's call function is the execution point where host-specific context is available but wasn't utilized for salt differentiation prior to the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility imp**ts *ny R*ils *ppli**tions usin* `r*ils_multisit*` *lon*si** R*ils' si*n**/*n*rypt** *ooki*s. **p*n*in* on *ow t** *ppli**tion m*k*s us* o* t**s* *ooki*s, it m*y ** possi*l* *or *n *tt**k*r to r*-us* *ooki*s on *i***

Reasoning

T** vuln*r**ility st*mm** *rom s**r** *rypto*r*p*i* s*lts **ross multi-sit* inst*n**s. T** p*t** intro*u*** *ooki*S*lt.up**t*_*ooki*_s*lts in t** mi**l*w*r*'s **ll ***in to v*ry s*lts p*r *ostn*m*. T** **s*n** o* t*is s*lt mo*i*i**tion in t** ori*in*

6.2

Basic Information

Concerned about an active attack path?

CVE-2021-41263: Rails Multisite secure/signed cookies share secrets between sites in a multi-site application

Impact

Patches

6.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-41263:
Rails Multisite secure/signed cookies share secrets between sites in a multi-site application

Vulnerability Intelligence
Miggo AI