Miggo Logo

CVE-2021-41263: Rails Multisite secure/signed cookies share secrets between sites in a multi-site application

6.2

CVSS Score
3.1

Basic Information

EPSS Score
0.42216%
Published
11/15/2021
Updated
5/4/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
rails_multisiterubygems< 4.0.04.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from shared cryptographic salts across multi-site instances. The patch introduced CookieSalt.update_cookie_salts in the middleware's call chain to vary salts per hostname. The absence of this salt modification in the original middleware implementation (before the security commit) directly caused the secret-sharing vulnerability. The middleware's call function is the execution point where host-specific context is available but wasn't utilized for salt differentiation prior to the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T*is vuln*r**ility imp**ts *ny R*ils *ppli**tions usin* `r*ils_multisit*` *lon*si** R*ils' si*n**/*n*rypt** *ooki*s. **p*n*in* on *ow t** *ppli**tion m*k*s us* o* t**s* *ooki*s, it m*y ** possi*l* *or *n *tt**k*r to r*-us* *ooki*s on *i***

Reasoning

T** vuln*r**ility st*mm** *rom s**r** *rypto*r*p*i* s*lts **ross multi-sit* inst*n**s. T** p*t** intro*u*** *ooki*S*lt.up**t*_*ooki*_s*lts in t** mi**l*w*r*'s **ll ***in to v*ry s*lts p*r *ostn*m*. T** **s*n** o* t*is s*lt mo*i*i**tion in t** ori*in*